Jump to content


Photo

www.errorplace.com redirect


  • This topic is locked This topic is locked
7 replies to this topic

#1 greatpf

greatpf

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 May 2004 - 11:08 PM

I keep getting redirected to www.errorplace.com, a typical redirect address is below. I have run adaware 6.0 which finds roings and gets rid of it only to have it come back. I have run spybot 1.3, I have also run pest patrol. Nothing works! Please help remove this spyware.

Here is the redirected address

http://www.errorplac...=&q=doubleclick

Any and all help would be much appreciated

#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 19 May 2004 - 07:48 AM

Greatpf

Please download CWShredder and Hijack This and unzip them to a permanent folder.

Run CWShredder in Windows Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode') while no other programs running. Hit the Fix-button, not the Scan-button, and let it finish.

Boot to normal mode again and post a Hijack This log (click Scan and when the log is shown click the same button to save the log).
_______
Wiskonst

#3 greatpf

greatpf

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 10:16 AM

I am at work, the problem is on my home PC, I will do what you suggest tonight, Thank-you for your time.

#4 greatpf

greatpf

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 08:55 PM

I ran the cwshredder in safe mode and it found nothing wrong here is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:42:55 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\miscellaneous\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1224BD74-F586-4C9C-9BE3-56E68E22F843} - C:\Program Files\BrowserVillage\SideBarBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {625B89D4-7C73-4C5E-B9CB-B0E71785A357} - C:\WINNT\qysgldxxz.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: BrowserVillage (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Bridge - http://download.game...nts/y/bs0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.yaho...nts/y/ks0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/cs0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.yaho...s/y/flts0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grs0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/posg_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.yaho...ts/y/ywr3_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/ws1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap...loads/cpuid.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7874.9577083333
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...lim/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macrom...abs/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...3/bin/imvid.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c.../yiebio4025.cab

thanks again for your time

greatpf

#5 greatpf

greatpf

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 May 2004 - 08:04 PM

Hi Wiskonst,

I did what you asked, I was hoping you could take a look, I am even getting redirected when I come to this site, I had to use Mozilla to get here with no problems.

Thanks ahead of time for your assistance,

greatpf

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 22 May 2004 - 04:22 AM

Greatpf

Sorry for not answering sooner. I have been quite busy.

Could you download The Cleaner trojan scanner and do a scan with it. Let it fix all it finds.

Then fix from Hijack This the following lines if they are still there after the scan:

O2 - BHO: (no name) - {1224BD74-F586-4C9C-9BE3-56E68E22F843} - C:\Program Files\BrowserVillage\SideBarBHO.dll (file missing)
O2 - BHO: (no name) - {625B89D4-7C73-4C5E-B9CB-B0E71785A357} - C:\WINNT\qysgldxxz.dll
O9 - Extra button: BrowserVillage (HKLM)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...lim/install.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

Set Explorer to display hidden files and delete this file:
- C:\WINNT\qysgldxxz.dll
If the file cannot be deleted because it is in use delete it in Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode').
_______
Wiskonst

#7 greatpf

greatpf

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 May 2004 - 03:04 AM

Hi Wiskonst,

I apologize if I seemed impatient on my last note, I was having a lot of trouble and I was hoping you would get back to me soon. I never thought about the fact that your help is all volunteer and you get to it when you can. Any help any time is always welcome!!!!!

Anyhow, your suggestions worked like a charm, The Cleaner did not find anything, the Hijackthis fixes you recommended did the trick. I could not delete the hidden file because it was not there.

THANK-YOU VERY VERY MUCH, errorplace is gone!!!!

greatpf

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 23 May 2004 - 03:49 AM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button