Jump to content


Photo

Wingding virus?


  • Please log in to reply
10 replies to this topic

#1 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 09:54 PM

I am running windows xp home. I ran ad-aware and hijackthis. Now I cannot read anything because all the text is in wingdings (block and and dots). What can I do? Any help would Help a LOT Thanks

#2 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 10:08 PM

Hello Ace, first thing, download cwshredder and run it
http://www.spywarein.../cwshredder.zip
Then for us to help you you need to post your Hijack this log.
Open Hijack this click scan and then click save log, then post your log.

#3 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 10:14 PM

I will try that cw shredder. Here it is

Logfile of HijackThis v1.97.7
Scan saved at 10:25:37 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.YOUR-IUS67OE9U6\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - (no file)
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - (no file)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CCPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CCPDPSRV.EXE
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [JXFPZHUCM] C:\WINDOWS\JXFPZHUCM.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Zubyl.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gzctwxqb] C:\WINDOWS\gzctwxqb.exe
O4 - HKLM\..\Run: [xmlmh] C:\WINDOWS\xmlmh.exe
O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\Update\WToolsA.exe update
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\uofqiej.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\phsfmgp.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [orcx] C:\WINDOWS\orcx.exe
O4 - HKLM\..\Run: [mfwpsv] C:\WINDOWS\mfwpsv.exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [dmredirv] C:\WINDOWS\System32\dmredirv.exe
O4 - HKLM\..\Run: [spmspm] C:\WINDOWS\System32\spmspm.exe
O4 - HKLM\..\Run: [ompactc] C:\WINDOWS\System32\ompactc.exe
O4 - HKLM\..\Run: [0541] C:\WINDOWS\System32\0541.exe
O4 - HKLM\..\Run: [ingp] C:\WINDOWS\System32\ingp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa...tandard_acx.exe
O16 - DPF: {B10031B2-F184-4803-9A88-D239C0641D70} (180SAInstaller Class) - http://ax.180solutio...SAInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab

#4 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 10:27 PM

I ran cw shredder. I can see some of the text and it says:

Done! Removed from your system
CWS.search.X
3Infected IE registry values.

#5 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 10:27 PM

I ran cw shredder. I can see some of the text and it says:

Done! Removed from your system
CWS.search.X
3Infected IE registry values.

#6 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 10:33 PM

With adaware you need to update it, then you need to run it then click scan now, then customize, then put ticks in t he boxes next to scan hosts and favourites, then let it scan.

Then you need some antivirus software
Try
http://www.grisoft.c...s_dwnl_free.php
after that repost your log, you are definately infected by several viruses
after that we will do a hijack this cleanup

Edited by Charybdis, 16 June 2004 - 10:35 PM.


#7 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 10:39 PM

Remember that it is slow go with the wingding fonts. I updated ad-aware and ran it. It fing over 500 item and says it cleaned them. After a reboot you can run it again and it will find the same amount. It is kinda stuck in a loop. I disabled system restore so that should not be a problem. I would post my log file again but you could not read it. It is boxes and dots. I will try running AVG again.

#8 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 June 2004 - 01:38 AM

Well, going through this stuff, you definitely have a virus or three and are full of spyware.
Download and install spybot s&d
http://security.kolla.de/

Teh restart you're computer in safe mode
to do this you hit f8 just as windows starts booting, i find it easier if u keep tapping f8 after the hdd detection as fast computers can fly past this point.

Then Run adaware, cwshredder and spybot s&d

then remove these with Hijack This


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - (no file)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbclick.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - (no file)
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - (no file)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbclick.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [JXFPZHUCM] C:\WINDOWS\JXFPZHUCM.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Zubyl.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gzctwxqb] C:\WINDOWS\gzctwxqb.exe
O4 - HKLM\..\Run: [xmlmh] C:\WINDOWS\xmlmh.exe
O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\Update\WToolsA.exe update
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\uofqiej.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\phsfmgp.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [orcx] C:\WINDOWS\orcx.exe
O4 - HKLM\..\Run: [mfwpsv] C:\WINDOWS\mfwpsv.exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [dmredirv] C:\WINDOWS\System32\dmredirv.exe
O4 - HKLM\..\Run: [spmspm] C:\WINDOWS\System32\spmspm.exe
O4 - HKLM\..\Run: [ompactc] C:\WINDOWS\System32\ompactc.exe
O4 - HKLM\..\Run: [0541] C:\WINDOWS\System32\0541.exe
O4 - HKLM\..\Run: [ingp] C:\WINDOWS\System32\ingp.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF:
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://downloads.aaa...tandard_acx.exe
O16 - DPF: {B10031B2-F184-4803-9A88-D239C0641D70} (180SAInstaller Class) - http://ax.180solutio...SAInstaller.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab



then open my computer
go to C:\Program Files\Common Tools

and delete the wintools folder and restart your computer and repost your log if you can.

#9 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 17 June 2004 - 08:56 PM

All text is still in wingdings. I followed you instructions and here is what i found:

Logfile of HijackThis v1.97.7
Scan saved at 8:54:37 PM, on 6/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\Documents and Settings\THOMAS\Desktop\back\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe

#10 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 20 June 2004 - 06:28 PM

Well all thats left is the wintools problems and the wingdings problem.

With wintools you have to boot to safe mode

then run hijack this and remove these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

Then while still in safe mode you have to delete the wintools folder from
C:\Program Files\Common files

empty your recycle bin.
set your homepage to www.yahoo.com or the like and restart your computer.

#11 ace344

ace344

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 June 2004 - 08:55 PM

Well thanks for all the help. That still did not get my text out of wingdings. I just decided to do a compaq restore and now it is working fine. Again, thanks for all of your help!!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button