Jump to content


Photo

another person with http:/mypoiskovik.com problems


  • Please log in to reply
3 replies to this topic

#1 mailman336

mailman336

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 05:39 PM

I've got a problem with a hijacker called http://mypoiskovik.com. I've seen other posts with this problem, but I guess I should send you my own HJT log.

I use adaware often and it just doesn't seem to see this one.


Logfile of HijackThis v1.97.7
Scan saved at 6:40:11 PM, on 6/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcpack.exe
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.105 www.your.com
O1 - Hosts: 206.161.200.105 your.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
O1 - Hosts: 206.161.200.103 www3.smutserver.com
O1 - Hosts: 206.161.200.103 www4.smutserver.com
O1 - Hosts: 206.161.200.103 www5.smutserver.com
O1 - Hosts: 206.161.200.103 www6.smutserver.com
O1 - Hosts: 206.161.200.103 www7.smutserver.com
O1 - Hosts: 206.161.200.103 www8.smutserver.com
O1 - Hosts: 206.161.200.103 www9.smutserver.com
O1 - Hosts: 206.161.200.103 www10.smutserver.com
O1 - Hosts: 206.161.200.103 www11.smutserver.com
O1 - Hosts: 206.161.200.103 www12.smutserver.com
O1 - Hosts: 206.161.200.103 www13.smutserver.com
O1 - Hosts: 206.161.200.103 www14.smutserver.com
O1 - Hosts: 206.161.200.103 www15.smutserver.com
O1 - Hosts: 206.161.200.103 www16.smutserver.com
O1 - Hosts: 206.161.200.103 www17.smutserver.com
O1 - Hosts: 206.161.200.103 www18.smutserver.com
O1 - Hosts: 206.161.200.103 www19.smutserver.com
O1 - Hosts: 206.161.200.103 www20.smutserver.com
O1 - Hosts: 206.161.200.103 www21.smutserver.com
O1 - Hosts: 206.161.200.103 www22.smutserver.com
O1 - Hosts: 206.161.200.103 www23.smutserver.com
O1 - Hosts: 206.161.200.103 www24.smutserver.com
O1 - Hosts: 206.161.200.103 www25.smutserver.com
O1 - Hosts: 206.161.200.103 www26.smutserver.com
O1 - Hosts: 206.161.200.103 www27.smutserver.com
O1 - Hosts: 206.161.200.103 www28.smutserver.com
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O1 - Hosts: 206.161.200.103 www30.smutserver.com
O1 - Hosts: 206.161.200.103 www31.smutserver.com
O1 - Hosts: 206.161.200.103 www32.smutserver.com
O1 - Hosts: 206.161.200.103 www.kinghost.com
O1 - Hosts: 206.161.200.103 kinghost.com
O1 - Hosts: 206.161.200.103 www1.kinghost.com
O1 - Hosts: 206.161.200.103 www2.kinghost.com
O1 - Hosts: 206.161.200.103 www3.kinghost.com
O1 - Hosts: 206.161.200.103 www4.kinghost.com
O1 - Hosts: 206.161.200.103 www5.kinghost.com
O1 - Hosts: 206.161.200.103 www6.kinghost.com
O1 - Hosts: 206.161.200.103 www7.kinghost.com
O1 - Hosts: 206.161.200.103 www8.kinghost.com
O1 - Hosts: 206.161.200.103 www9.kinghost.com
O1 - Hosts: 206.161.200.103 www10.kinghost.com
O1 - Hosts: 206.161.200.103 www1.ndhosting.com
O1 - Hosts: 206.161.200.103 www3.ndhosting.com
O1 - Hosts: 206.161.200.103 www2.ndhosting.com
O1 - Hosts: 206.161.200.103 www.ndhosting.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7943.7591319444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 05:58 PM

mypoiskovik.com can infect your system in many ways. To remove it, please follow the procedure listed below:
  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  • Run hijackthis and put a check next to these entries and then FIX checked after ALL other windows are closed (including this one):
  • In HijackThis, make sure that none of the following entries are present, if they are, remove them as well:
    • O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    • O4 - Global Startup: winlogin.exe
    • O4 - HKCU\..\Run: [dllhelp] c:\windows
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
      R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
      R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
      F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcpack.exe
      O1 - Hosts: 206.161.200.105 auto.search.msn.com
      O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
      O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
      O1 - Hosts: 206.161.200.105 www.your.com
      O1 - Hosts: 206.161.200.105 your.com
      O1 - Hosts: 206.161.200.103 www.smutserver.com
      O1 - Hosts: 206.161.200.103 www1.smutserver.com
      O1 - Hosts: 206.161.200.103 www2.smutserver.com
      O1 - Hosts: 206.161.200.103 www3.smutserver.com
      O1 - Hosts: 206.161.200.103 www4.smutserver.com
      O1 - Hosts: 206.161.200.103 www5.smutserver.com
      O1 - Hosts: 206.161.200.103 www6.smutserver.com
      O1 - Hosts: 206.161.200.103 www7.smutserver.com
      O1 - Hosts: 206.161.200.103 www8.smutserver.com
      O1 - Hosts: 206.161.200.103 www9.smutserver.com
      O1 - Hosts: 206.161.200.103 www10.smutserver.com
      O1 - Hosts: 206.161.200.103 www11.smutserver.com
      O1 - Hosts: 206.161.200.103 www12.smutserver.com
      O1 - Hosts: 206.161.200.103 www13.smutserver.com
      O1 - Hosts: 206.161.200.103 www14.smutserver.com
      O1 - Hosts: 206.161.200.103 www15.smutserver.com
      O1 - Hosts: 206.161.200.103 www16.smutserver.com
      O1 - Hosts: 206.161.200.103 www17.smutserver.com
      O1 - Hosts: 206.161.200.103 www18.smutserver.com
      O1 - Hosts: 206.161.200.103 www19.smutserver.com
      O1 - Hosts: 206.161.200.103 www20.smutserver.com
      O1 - Hosts: 206.161.200.103 www21.smutserver.com
      O1 - Hosts: 206.161.200.103 www22.smutserver.com
      O1 - Hosts: 206.161.200.103 www23.smutserver.com
      O1 - Hosts: 206.161.200.103 www24.smutserver.com
      O1 - Hosts: 206.161.200.103 www25.smutserver.com
      O1 - Hosts: 206.161.200.103 www26.smutserver.com
      O1 - Hosts: 206.161.200.103 www27.smutserver.com
      O1 - Hosts: 206.161.200.103 www28.smutserver.com
      O1 - Hosts: 206.161.200.103 www29.smutserver.com
      O1 - Hosts: 206.161.200.103 www30.smutserver.com
      O1 - Hosts: 206.161.200.103 www31.smutserver.com
      O1 - Hosts: 206.161.200.103 www32.smutserver.com
      O1 - Hosts: 206.161.200.103 www.kinghost.com
      O1 - Hosts: 206.161.200.103 kinghost.com
      O1 - Hosts: 206.161.200.103 www1.kinghost.com
      O1 - Hosts: 206.161.200.103 www2.kinghost.com
      O1 - Hosts: 206.161.200.103 www3.kinghost.com
      O1 - Hosts: 206.161.200.103 www4.kinghost.com
      O1 - Hosts: 206.161.200.103 www5.kinghost.com
      O1 - Hosts: 206.161.200.103 www6.kinghost.com
      O1 - Hosts: 206.161.200.103 www7.kinghost.com
      O1 - Hosts: 206.161.200.103 www8.kinghost.com
      O1 - Hosts: 206.161.200.103 www9.kinghost.com
      O1 - Hosts: 206.161.200.103 www10.kinghost.com
      O1 - Hosts: 206.161.200.103 www1.ndhosting.com
      O1 - Hosts: 206.161.200.103 www3.ndhosting.com
      O1 - Hosts: 206.161.200.103 www2.ndhosting.com
      O1 - Hosts: 206.161.200.103 www.ndhosting.com
  • RESTART your computer in Safe Mode - How do I boot into "Safe" mode?
  • Find and delete these files or folders:
    • C:\Program Files\Internet Explorer\IEengine.exe <= File
    • C:\WINDOWS\system32\winlogin.exe <= This file, NOTICE the spelling. Please watch that you do not delete winlogon.exe (that is a legit file in the same directory)
    • winlogon.exe in any location other that c:\windows\system32. <= windows may be winnt. win98 etc, depending on your operating system. c:\windows\system32\winlogon.exe is a legitimate, system file that MUST NOT be deleted. One of the more common places for winlogon.exe to hide is C:\Documents and Settings\All Users\Start Menu\Programs <= Be sure to check this location.
    • m.exe
    • dlltemp.exe
    • dllhelp.exe
    • Some files may be harder to spot (As mypoiskovik randomly changes the file names) so proceed with the following only if the infection was not found in any of the previous steps:
      • Click on "Start" => "Search" => "For files or Folders" => Search for "All Files and Folders" => Type in *.exe *.dll => Under "When was it modified" => "Specify Date" => Date of suspected infection through Today.
      • Hit search and wait for a while, proably at least 1/2 hour, depending on your CPU speed.
      • This will give you a list of every insidious .exe file and .dll file that may be trojans infecting your computer.
      • Look at the files and see what looks suspicious. DO NOT delete anything is you are at all unsure as you may have valid file names listed. Post the list back here for us to review and make recommendations.
  • While still in safe mode would you please run CoolWeb Shredder one more time and let it FIX all problems.
  • RESTART back in Normal mode. Don't open a browser yet.
  • Instead, access your "Internet options" via "Control Panel" and under the "Programs" tab, "Reset Web Settings".
  • Under the "General" tab => "Delete files" and "Reset home page".
  • Post back a fresh Hijackthis log.


#3 mailman336

mailman336

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 10:08 PM

hey, thanks a lot. I think its finally gone. I also updated windows, so it will hopefully be gone for good. Thanks for making it so easy. Here's one final HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 11:09:06 PM, on 6/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wizards.c...p?x=dnd/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7943.7591319444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 09:40 AM

A few small things to clean up:
  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button. <= You should already have this but make sure it is v1.59.0
  • Go into "Add/Remove Programs" in the control panel and look for any programs named similar to "WebHancer", "Web Survey" etc and remove.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wizards.c...p?x=dnd/welcome
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  • The following ar optional to delete as they are resource hogs:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • C:\Program Files\TV Media\
      • C:\Program Files\webHancer\
    • FILES
      • Nothing Yet
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button