• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mailman336

another person with http:/mypoiskovik.com problems

4 posts in this topic

I've got a problem with a hijacker called http://mypoiskovik.com. I've seen other posts with this problem, but I guess I should send you my own HJT log.

 

I use adaware often and it just doesn't seem to see this one.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:40:11 PM, on 6/22/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Internet Explorer\IEengine.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)

F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcpack.exe

O1 - Hosts: 206.161.200.105 auto.search.msn.com

O1 - Hosts: 206.161.200.105 sitefinder.verisign.com

O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com

O1 - Hosts: 206.161.200.105 www.your.com

O1 - Hosts: 206.161.200.105 your.com

O1 - Hosts: 206.161.200.103 www.smutserver.com

O1 - Hosts: 206.161.200.103 www1.smutserver.com

O1 - Hosts: 206.161.200.103 www2.smutserver.com

O1 - Hosts: 206.161.200.103 www3.smutserver.com

O1 - Hosts: 206.161.200.103 www4.smutserver.com

O1 - Hosts: 206.161.200.103 www5.smutserver.com

O1 - Hosts: 206.161.200.103 www6.smutserver.com

O1 - Hosts: 206.161.200.103 www7.smutserver.com

O1 - Hosts: 206.161.200.103 www8.smutserver.com

O1 - Hosts: 206.161.200.103 www9.smutserver.com

O1 - Hosts: 206.161.200.103 www10.smutserver.com

O1 - Hosts: 206.161.200.103 www11.smutserver.com

O1 - Hosts: 206.161.200.103 www12.smutserver.com

O1 - Hosts: 206.161.200.103 www13.smutserver.com

O1 - Hosts: 206.161.200.103 www14.smutserver.com

O1 - Hosts: 206.161.200.103 www15.smutserver.com

O1 - Hosts: 206.161.200.103 www16.smutserver.com

O1 - Hosts: 206.161.200.103 www17.smutserver.com

O1 - Hosts: 206.161.200.103 www18.smutserver.com

O1 - Hosts: 206.161.200.103 www19.smutserver.com

O1 - Hosts: 206.161.200.103 www20.smutserver.com

O1 - Hosts: 206.161.200.103 www21.smutserver.com

O1 - Hosts: 206.161.200.103 www22.smutserver.com

O1 - Hosts: 206.161.200.103 www23.smutserver.com

O1 - Hosts: 206.161.200.103 www24.smutserver.com

O1 - Hosts: 206.161.200.103 www25.smutserver.com

O1 - Hosts: 206.161.200.103 www26.smutserver.com

O1 - Hosts: 206.161.200.103 www27.smutserver.com

O1 - Hosts: 206.161.200.103 www28.smutserver.com

O1 - Hosts: 206.161.200.103 www29.smutserver.com

O1 - Hosts: 206.161.200.103 www30.smutserver.com

O1 - Hosts: 206.161.200.103 www31.smutserver.com

O1 - Hosts: 206.161.200.103 www32.smutserver.com

O1 - Hosts: 206.161.200.103 www.kinghost.com

O1 - Hosts: 206.161.200.103 kinghost.com

O1 - Hosts: 206.161.200.103 www1.kinghost.com

O1 - Hosts: 206.161.200.103 www2.kinghost.com

O1 - Hosts: 206.161.200.103 www3.kinghost.com

O1 - Hosts: 206.161.200.103 www4.kinghost.com

O1 - Hosts: 206.161.200.103 www5.kinghost.com

O1 - Hosts: 206.161.200.103 www6.kinghost.com

O1 - Hosts: 206.161.200.103 www7.kinghost.com

O1 - Hosts: 206.161.200.103 www8.kinghost.com

O1 - Hosts: 206.161.200.103 www9.kinghost.com

O1 - Hosts: 206.161.200.103 www10.kinghost.com

O1 - Hosts: 206.161.200.103 www1.ndhosting.com

O1 - Hosts: 206.161.200.103 www3.ndhosting.com

O1 - Hosts: 206.161.200.103 www2.ndhosting.com

O1 - Hosts: 206.161.200.103 www.ndhosting.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Web Search - c:\winnt\ex.htm

O9 - Extra button: AIM (HKLM)

O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7943.7591319444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

mypoiskovik.com can infect your system in many ways. To remove it, please follow the procedure listed below:

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  3. Run hijackthis and put a check next to these entries and then FIX checked after ALL other windows are closed (including this one):

[*]In HijackThis, make sure that none of the following entries are present, if they are, remove them as well:

  • O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe
  • O4 - Global Startup: winlogin.exe
  • O4 - HKCU\..\Run: [dllhelp] c:\windows
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcpack.exe
    O1 - Hosts: 206.161.200.105 auto.search.msn.com
    O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
    O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
    O1 - Hosts: 206.161.200.105 www.your.com
    O1 - Hosts: 206.161.200.105 your.com
    O1 - Hosts: 206.161.200.103 www.smutserver.com
    O1 - Hosts: 206.161.200.103 www1.smutserver.com
    O1 - Hosts: 206.161.200.103 www2.smutserver.com
    O1 - Hosts: 206.161.200.103 www3.smutserver.com
    O1 - Hosts: 206.161.200.103 www4.smutserver.com
    O1 - Hosts: 206.161.200.103 www5.smutserver.com
    O1 - Hosts: 206.161.200.103 www6.smutserver.com
    O1 - Hosts: 206.161.200.103 www7.smutserver.com
    O1 - Hosts: 206.161.200.103 www8.smutserver.com
    O1 - Hosts: 206.161.200.103 www9.smutserver.com
    O1 - Hosts: 206.161.200.103 www10.smutserver.com
    O1 - Hosts: 206.161.200.103 www11.smutserver.com
    O1 - Hosts: 206.161.200.103 www12.smutserver.com
    O1 - Hosts: 206.161.200.103 www13.smutserver.com
    O1 - Hosts: 206.161.200.103 www14.smutserver.com
    O1 - Hosts: 206.161.200.103 www15.smutserver.com
    O1 - Hosts: 206.161.200.103 www16.smutserver.com
    O1 - Hosts: 206.161.200.103 www17.smutserver.com
    O1 - Hosts: 206.161.200.103 www18.smutserver.com
    O1 - Hosts: 206.161.200.103 www19.smutserver.com
    O1 - Hosts: 206.161.200.103 www20.smutserver.com
    O1 - Hosts: 206.161.200.103 www21.smutserver.com
    O1 - Hosts: 206.161.200.103 www22.smutserver.com
    O1 - Hosts: 206.161.200.103 www23.smutserver.com
    O1 - Hosts: 206.161.200.103 www24.smutserver.com
    O1 - Hosts: 206.161.200.103 www25.smutserver.com
    O1 - Hosts: 206.161.200.103 www26.smutserver.com
    O1 - Hosts: 206.161.200.103 www27.smutserver.com
    O1 - Hosts: 206.161.200.103 www28.smutserver.com
    O1 - Hosts: 206.161.200.103 www29.smutserver.com
    O1 - Hosts: 206.161.200.103 www30.smutserver.com
    O1 - Hosts: 206.161.200.103 www31.smutserver.com
    O1 - Hosts: 206.161.200.103 www32.smutserver.com
    O1 - Hosts: 206.161.200.103 www.kinghost.com
    O1 - Hosts: 206.161.200.103 kinghost.com
    O1 - Hosts: 206.161.200.103 www1.kinghost.com
    O1 - Hosts: 206.161.200.103 www2.kinghost.com
    O1 - Hosts: 206.161.200.103 www3.kinghost.com
    O1 - Hosts: 206.161.200.103 www4.kinghost.com
    O1 - Hosts: 206.161.200.103 www5.kinghost.com
    O1 - Hosts: 206.161.200.103 www6.kinghost.com
    O1 - Hosts: 206.161.200.103 www7.kinghost.com
    O1 - Hosts: 206.161.200.103 www8.kinghost.com
    O1 - Hosts: 206.161.200.103 www9.kinghost.com
    O1 - Hosts: 206.161.200.103 www10.kinghost.com
    O1 - Hosts: 206.161.200.103 www1.ndhosting.com
    O1 - Hosts: 206.161.200.103 www3.ndhosting.com
    O1 - Hosts: 206.161.200.103 www2.ndhosting.com
    O1 - Hosts: 206.161.200.103 www.ndhosting.com

[*]RESTART your computer in Safe Mode - How do I boot into "Safe" mode?

[*]Find and delete these files or folders:

  • C:\Program Files\Internet Explorer\IEengine.exe <= File
  • C:\WINDOWS\system32\winlogin.exe <= This file, NOTICE the spelling. Please watch that you do not delete winlogon.exe (that is a legit file in the same directory)
  • winlogon.exe in any location other that c:\windows\system32. <= windows may be winnt. win98 etc, depending on your operating system. c:\windows\system32\winlogon.exe is a legitimate, system file that MUST NOT be deleted. One of the more common places for winlogon.exe to hide is C:\Documents and Settings\All Users\Start Menu\Programs <= Be sure to check this location.
  • m.exe
  • dlltemp.exe
  • dllhelp.exe
  • Some files may be harder to spot (As mypoiskovik randomly changes the file names) so proceed with the following only if the infection was not found in any of the previous steps:
    • Click on "Start" => "Search" => "For files or Folders" => Search for "All Files and Folders" => Type in *.exe *.dll => Under "When was it modified" => "Specify Date" => Date of suspected infection through Today.
    • Hit search and wait for a while, proably at least 1/2 hour, depending on your CPU speed.
    • This will give you a list of every insidious .exe file and .dll file that may be trojans infecting your computer.
    • Look at the files and see what looks suspicious. DO NOT delete anything is you are at all unsure as you may have valid file names listed. Post the list back here for us to review and make recommendations.

[*]While still in safe mode would you please run CoolWeb Shredder one more time and let it FIX all problems.

[*]RESTART back in Normal mode. Don't open a browser yet.

[*]Instead, access your "Internet options" via "Control Panel" and under the "Programs" tab, "Reset Web Settings".

[*]Under the "General" tab => "Delete files" and "Reset home page".

[*]Post back a fresh Hijackthis log.

Share this post


Link to post
Share on other sites

hey, thanks a lot. I think its finally gone. I also updated windows, so it will hopefully be gone for good. Thanks for making it so easy. Here's one final HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:09:06 PM, on 6/24/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wizards.com/default.asp?x=dnd/welcome

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM (HKLM)

O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7943.7591319444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

A few small things to clean up:

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button. <= You should already have this but make sure it is v1.59.0
  2. Go into "Add/Remove Programs" in the control panel and look for any programs named similar to "WebHancer", "Web Survey" etc and remove.
  3. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wizards.com/default.asp?x=dnd/welcome
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  4. The following ar optional to delete as they are resource hogs:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
  5. Please reboot into safe mode - How do I boot into "Safe" mode?
  6. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • C:\Program Files\TV Media\
  • C:\Program Files\webHancer\

[*]FILES

  • Nothing Yet

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0