Jump to content


Photo

POP UP CRAZY / EXPLORER ERRORS


  • This topic is locked This topic is locked
54 replies to this topic

#1 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 02:55 PM

PLEASE HELP ME WITH THE POP UP TROUBLE. I HAVE RUN SPYBOT,AD-WARE AND CWSHREDDER.

ANY ADVISE?

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 02:57 PM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

Thank you.

#3 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:01 PM

okay

#4 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:09 PM

I can't get it to save properly. I can view it but can not cut and paste it.

#5 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:10 PM

Not sure how to save it to C:\HJT

#6 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:15 PM

How can I post it?

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 03:21 PM

Sorry - Was reading another post. Run HijackThis, Click on "Scan" - In the bottom left. The "Scan" icon will then change to "Save Log". Click on it. It should come up with a screen that you just have to click on "Save" (Keeps the defaults suggested). This will then open notepad with the log in it. Click on "Edit" => "Select All" => "Edit" => "Copy". THis copies it into your cliboard. In this message click on add reply and the bring your mouse into the reply box, right click and select "Paste".

#8 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:26 PM

Thanks - Here it is




Logfile of HijackThis v1.97.7
Scan saved at 4:08:34 PM, on 05/19/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\VLPY.EXE
C:\WINDOWS\TEMP\I5M.EXE
C:\WINDOWS\SYSTEM\OEM66C.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\OEM66C.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\BV9FFHOW\HIJACKTHIS[2].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [lwhwx] C:\WINDOWS\lwhwx.exe
O4 - HKLM\..\Run: [kuqgpnpb] C:\WINDOWS\vlpy.exe
O4 - HKLM\..\Run: [I5m.exe] C:\WINDOWS\TEMP\I5M.EXE
O4 - HKLM\..\Run: [ypghkbib] C:\WINDOWS\ypghkbib.exe
O4 - HKLM\..\Run: [qt9W36R] OEM66C.EXE
O4 - HKLM\..\Run: [AutoLoaderqEqc1IMTOKbO] "C:\WINDOWS\SYSTEM\OEM66C.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com.../KeyActivex.ocx
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#9 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 03:29 PM

FYI - I am posting this on my laptop while it is my Desk top that is giving me trouble

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 03:52 PM

Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files aailable in the event that they are needed. To create the directory, open "My Computer", open the "C-Drive", click on "File" => "New" => "New Folder". The folder should be highlighted - Just type in "HJT". To make it easy, download HijackThis again from C this link, install it into C:\HJT.

Uninstall Acceleration Soft from "Add/Remove Programs" in the Windows Control Panel.

You have a virus - Download Stinger and run it.

Close all programs/windows and run HijackThis. Delete the following (If they still exist) (i.e. Just place a check mark in the boxes that I indicate and click on "Fix"):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\Run: [lwhwx] C:\WINDOWS\lwhwx.exe
O4 - HKLM\..\Run: [kuqgpnpb] C:\WINDOWS\vlpy.exe
O4 - HKLM\..\Run: [I5m.exe] C:\WINDOWS\TEMP\I5M.EXE
O4 - HKLM\..\Run: [ypghkbib] C:\WINDOWS\ypghkbib.exe
O4 - HKLM\..\Run: [qt9W36R] OEM66C.EXE
O4 - HKLM\..\Run: [AutoLoaderqEqc1IMTOKbO] "C:\WINDOWS\SYSTEM\OEM66C.EXE"
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com.../KeyActivex.ocx
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

The following are optional to delete as they are resource hogs:
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • C:\PROGRAM FILES\ACCELERATION SOFTWARE <= Delete this directory
  • C:\WINDOWS\Csrss.exe
  • C:\WINDOWS\lwhwx.exe
  • C:\WINDOWS\vlpy.exe
  • C:\WINDOWS\TEMP\I5M.EXE
  • C:\WINDOWS\ypghkbib.exe
  • C:\WINDOWS\SYSTEM\OEM66C.EXE
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#11 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 04:07 PM

I do not see acceleration soft in ADD/REMOVE window. Should I still proceed with other directions?

#12 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 04:29 PM

Yes, please do

#13 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 04:31 PM

I am running stinger, Thank you

#14 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 19 May 2004 - 05:25 PM

I did my best. How does it look?

Logfile of HijackThis v1.97.7
Scan saved at 6:24:18 PM, on 05/19/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [kuqgpnpb] C:\WINDOWS\vlpy.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB

#15 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 19 May 2004 - 08:08 PM

You did miss one:
O4 - HKLM\..\Run: [kuqgpnpb] C:\WINDOWS\vlpy.exe.
Delete the entry in HijackThis, reboot, then delete the file.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
Spywareblaster
Spywareguard

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad

On a regular basis - Use Ad-Aware to check your system for any and all infections => How to use Ad-Aware to remove Spyware

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#16 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 20 May 2004 - 07:08 AM

My browser still changes to g.msn.com then advertising web pages. What can I do?

Thank you.

#17 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 20 May 2004 - 07:46 AM

Help,

My browser goes to g.msn and all kinds of popups. I've run Stinger, Sybot, Shredder.

Advice?

Logfile of HijackThis v1.97.7
Scan saved at 8:43:04 AM, on 05/20/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB

#18 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 20 May 2004 - 08:15 AM

Hi,

What's going on here? Please help me.

Logfile of HijackThis v1.97.7
Scan saved at 8:43:04 AM, on 05/20/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB

#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 May 2004 - 09:24 AM

Can you please post a HijackThis log so that I can see what is going on? The advertising pages ... Are these nre browser windows that "Pop-Up" or are they advertisements within the same IE browser? What is the web sire? Are you redirected to a specific web site etc?

#20 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 May 2004 - 10:23 AM

Threads merged to here. Stick to just this one, please.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#21 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 20 May 2004 - 10:58 AM

MSN is my home page. If left on MSN for a while the page changes to all kind of different web sites and pop ups come up. this happens even if I'm not on the web. FYI - I have a DSL line.

Thank you for your help.

New Hijack Log

Logfile of HijackThis v1.97.7
Scan saved at 11:56:22 AM, on 05/20/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB

#22 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 20 May 2004 - 11:06 AM

If you do a search in MSN or Google you get a Invalid Syntax Error - It says open the g.msn.com home page, and then look for links to the information you want.

When I tried to save the hijacker log it says somethins about swarm assult.

At time I get a white block that has black letters saying

The system is dangerously low on resources!
Would you like to terminate the following application?
Gwhotkey
pressing no brings up more choices

#23 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 May 2004 - 11:14 AM

This may be related to your HOSTS file. Can you please follow the instructions that I usually post at the end of my fixes (BELOW), specifically the one relating to the MVPS HOSTS file. Let me know if that clears it up...

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to cath most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#24 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 28 May 2004 - 08:48 AM

I tried to change my hosts file. I still get redirectd and search functions do not work on any page. When being redirected the address bar always starts with 69. and it goes away so quick that I can't read it. Usually I get directed to sites for spyware removal tools.
Is my log ok?

Thank you for your time.

Logfile of HijackThis v1.97.7
Scan saved at 9:31:34 AM, on 05/28/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

#25 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 May 2004 - 10:02 AM

Please give me a few minutes to check your new log and I'll get right back to you.

#26 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 May 2004 - 10:24 AM

The log is clear. Can you try ...
Please open notepad, copy the contents of the quote box into notepad and save it as iefix.reg. Double click on the iefix.reg file and when prompted, just respond "Yes". This will reset all your IE settings back to their defaults.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn...t/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn...t/srchcust.htm"
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.co...n-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsof...earch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Let me know if this helps resolve the redirects.

#27 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 03 June 2004 - 01:05 PM

PG,

I have been utilizing my laptop. Sorry for the delay. I thank you for your responses. I did as you said. Spygaurd asked if it was okay to change the registry and I said yes.

I still get redirected (sometimes) and search or links on pages does not work. I get the White Screen saying page unavailable.

Thanks for your help on this.

#28 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 June 2004 - 02:55 PM

Can you post a fresh HijackThis log and alos, what page are you redirected to? Thank you.

#29 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 03 June 2004 - 04:15 PM

I usually get sent to spotresults.com/dns.php?url=...
I noticed that as I am being switched the the lower left address is 69.20.62 and I can't read the rest as it switches to quick. I also get sent to 888. casino or something like that.

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 5:12:22 PM, on 06/03/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

#30 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 June 2004 - 06:31 PM

In my signature there is a link for MVPS Hosts - Can you click on it and follow the instructions to reset your HOSTS file. Once that is done, reboot, come back and post a fresh HijackThis log for me to review.

#31 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 04 June 2004 - 07:52 AM

Thanks,

Logfile of HijackThis v1.97.7
Scan saved at 8:50:10 AM, on 06/04/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 127
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

#32 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 June 2004 - 11:41 AM

Close all programs and windows.
Run HijackThis and "Fix" the following:
O1 - Hosts: 127
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch

Do you still have a redirect problem?

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#33 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 04 June 2004 - 11:49 AM

PG,

I did as you said and ran another log. The last three hosts files came back automatically.
This is a tough one.

Thanks

#34 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 04 June 2004 - 11:53 AM

I tries again to "Fix" them and I got a Hijack This error log saying:

An enexpected error has occurred at procedure: modMain_FixOther1Item[slitem=01 -
Hosts: 207.36.196.189 search.netscape.com]
How can you reproduce the error

Windows version: Windows 9x4.10.2222
MSIE version: 6.0.2800.1106
Hijack This version: 1.97.7

#35 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 June 2004 - 12:27 AM

I am going to ask a few experts for their input - Please be patient while I find out - Thank you.

#36 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 June 2004 - 12:51 AM

Download this: http://www.downloads...g/VX2Finder.exe and run it
  • Click "Click To find Find VX2.Abetterinternet"
  • Delete all files found. You will get a message about "cannot delete this one" matching the same name in the Guardian Key.
  • Click "Open regedit" will take you right to the Guardian Key(no need to search for it)
  • Highlight "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...DE-select (uncheck) the lower box with "inheritable permissions". Hit 'ok' and 'remove' on the following security prompts.
  • Restart computer.
  • On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.
  • Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"
  • Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.
  • Use Find again should produce a clean log of blank values.
  • Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)


#37 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 05 June 2004 - 09:58 AM

The download says:
This finder is currently only for NT based systems.

Thanks

#38 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 June 2004 - 01:39 PM

Try this one for windows 9x systems

#39 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 05 June 2004 - 02:13 PM

I do not see a Open regedit" key
3. Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

Sorry

#40 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 01:17 AM

Can you try out the steps listed here at Pest Patrol. Let me know if it eliminates it for you. If not, please post a fresh HijackThis log for further review.

#41 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 10:10 AM

I AM SORRY BUT YOUR LINK DOES NOT WORK.

Thank you

#42 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 06 June 2004 - 10:12 AM

Link works for me.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#43 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 10:29 AM

I AM SORRY BUT YOUR LINK DOES NOT WORK.

I assume you mean the link from my last post i.e.

Can you try out the steps listed here at Pest Patrol.  Let me know if it eliminates it for you.  If not, please post a fresh HijackThis log for further review.

It is working for me but just in case something is going haywire with your system in terms of IE links or perhaps HOSTS redirects, can you copy the link exactly as listed, paste it into your browser bar and let me know if you can connect ... If not, exactly what happens:
http://www.pestpatro...terinternet.asp

#44 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 10:50 AM

I am sorry but the link does not work.

Thank you

Logfile of HijackThis v1.97.7
Scan saved at 11:46:37 AM, on 06/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/servlet/AVQSDisplayPdf?rbVal=Dec 2001~195955120: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

Note: I "fixed" the hosts files again and they did not "reappear in this scan"

#45 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 11:00 AM

When I paste the link it says -
Connecting to site 209.92.194.116

Then the white action cancelled page comes up.

Also - Links do not work on any page and search functions have been lost.

#46 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 11:06 AM

Let's try this ... Please go to Microsoft Windows Update and download all critical updates for your system. Specifically the updates relating to IE - You are using a very old version. Let me know once that is done if you are still having problems.

p.s. Thank you for being so patient - We will get to the bottom of this, I assure you :)

#47 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 11:25 AM

I have downloaded all critical updates. I had a great deal of difficulty doing so. When I check the log for update activity it says I have installed them but if I say check for updates it says I still need them.

When I clicked ok to restart computer it gave a blue screen saying:
Windows
A fatal exception OE has occurred at 0028:C02A27A8 in VXD VWIN32(05)
+000012D0. The current application will be terminated.

Thank you for taking so much time to help.

#48 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 11:41 AM

I am going to get a few experts in on this one as it is really strange ...

#49 DDAY

DDAY

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 12:31 PM

Thank you very much.

#50 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 06 June 2004 - 11:01 PM

You have several infections that we have cleaned off at least twice and the fact that they are back indicates that you are surfing the same sites that infected you in the first place. We need to clean off your computer before you surf any more sites and please, stop rushing ahead and follow each step, one point at a time. Several of the fixes that I have asked you to do have not been done, or only partially done. Another problem - Please DO NOT bump every 5 minutes - I am following this case and when you respond, as soon as I am back online, I will continue until we have the issue resolved. That out of the way, let us continue trying to fix this ...

Some of the steps I recommend will be repeated steps, due to reinfection, please follow each step.

How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button. <= I know you already have this, please download it again as you need to make sure that you are running version 1.59.0.

Uninstall "WinTools" from "Add/Remove Programs".

Close all programs and windows.

Run HijackThis and select the following and then click on "Fix Checked".
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O13 - WWW Prefix:
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7892.6818287037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: ConferenceRoom Java Client - http://supportchat.n...000/java/cr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

Run either of these free online virus scans.Please download, install and run Tojan Hunter (Trial).

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files(all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
Reboot again and log in normally, repost a new HijackThis log into this message for further review.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button