Jump to content


Photo

I'm so clueless i need help!


  • Please log in to reply
6 replies to this topic

#1 Kerhelp

Kerhelp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 June 2004 - 02:48 AM

i've had a similar problem to the several listed where
a new variant of CWS makes your homepage something
like res:\\(gibberish) and several random gibberish programs
run in the background, well i've tried to fix the problem via the guidelines
listed in several threads and my real problem is when
i try to access "Network Security Service" it says
it cannot be found when i double click on it. i fear i might have
deleted something like that trying to get rid of the bad
files on my computer. is there any way i can reverse this
or download it from somewhere?

i know i'm a stupid and clueless girl, any help i'd greatly appreciate!

#2 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 20 June 2004 - 08:08 AM

Hello Kerhelp

Could you download hijackthis from here, make sure you save it to it's own folder somewhere like My Documents. Double click on the hijackthis exe and then click the scan button, DO NOT fix anything, most of what it lists is useful and even essential to the running of your pc. In a little while the scan button will change to 'save log' click it and you will be prompted to save the log when you do this a notepad file will pop up, copy and paste the contents of the notepad as a reply to this thread.

#3 Kerhelp

Kerhelp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 June 2004 - 11:53 PM

thanks for the info, here's what i got from the scan:

Logfile of HijackThis v1.97.7
Scan saved at 12:48:57 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\KIMBER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
O2 - BHO: (no name) - {1BF99432-062E-70AF-0CDB-DD7B52B34282} - C:\WINDOWS\atlqr32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx



i went through several in the pasts with all the backups saved, each time i did fix it in the past, it would come up with a new res://c:\windows\(gibberish) and a new .dll file, thank you for helping me though, any advice?

#4 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 21 June 2004 - 02:25 PM

Kerhelp you have a very small hijack log... if you have used hijackthis to fix some things can you restore the backups please!!

Open hijackthis, click on 'config' then 'backups' then 'restore backups' once you have done that, reboot and run hijackthis again and post a fresh log please.... then we will see about getting your pc cleaned up! :)

#5 Kerhelp

Kerhelp

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 June 2004 - 10:52 PM

i see why it was so short, i had some objects on "ignore"
from awhile back. about the backups though, each time
i'd get backup files thrown on my desktop (my hijackthis.exe
is on the desktop), i'd put them in a folder i created there named
"backups" and i don't know how to restore those. besides that,
here's the new hijackthis log with no items on ignore:

Logfile of HijackThis v1.97.7
Scan saved at 11:48:56 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\KIMBER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gcyyu.dll/sp.html#96676
O2 - BHO: (no name) - {1BF99432-062E-70AF-0CDB-DD7B52B34282} - C:\WINDOWS\atlqr32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

thanks for your help! this forum is awesome

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 June 2004 - 04:26 PM

So that backups can be restored, it is essential that they are in the same folder as the actual program file. Running it from the desktop, the backups will create a lot of icons. I suggest that you make a new folder on your drive, such as c:\HJT, and move the Hijack this program into it before runnning it again.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 23 June 2004 - 02:17 PM

Hi Kerhelp

You sort of have half a problem..... I'm expecting to see some bad files there but they are nowhere to be seen... I'm hoping you have already sorted them out. I have a tool we can use... lets see how it goes!

First of all it is important that you put hijack this into a folder as Dave38 explained.

Then download this tool called about:buster from
http://tools.zerosre...AboutBuster.zip or
http://www.downloads...AboutBuster.zip

Unzip it to your desktop.
Now start Hijack this and tick the boxe next to this item..
O2 - BHO: (no name) - {1BF99432-062E-70AF-0CDB-DD7B52B34282} - C:\WINDOWS\atlqr32.dll (file missing)

Now close ALL windows and hit fix checked.

Do not open internet explorer to come back here until after running this tool.
Start about:buster and hit start. In the first white box input this - starting with
res://C:\WINDOWS\gcyyu.dll/sp.html#96676

Next click Ok and allow the program to run. After it runs copy its report and paste it back into this thread.
Restart your computer and post the report and a new Hijack this log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button