Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Go to first new post Family Cyber Removal
Go to first new post System Check problem
Go to first new post hijack this log ......
Go to first new post Trojan virus
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Cannot access any google sites - youtube ...
Go to first new post My computer is slowly dying
Go to first new post Trojan Hider
Go to first new post We Got System Checked :-(
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop mac malware memory monitor motherboard music network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Home page stuck on coolwwwsearch can't change (New)

Page 2 of 12 1 2 345 Last »
Reply  
Thread Tools
versus's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2003
01-Jul-2003, 01:49 AM #16
Hi Tony,

thanks a ton. Well here goes. This is the log from Hijack This -

Logfile of HijackThis v1.95.0
Scan saved at 21:48:24, on 30/06/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Stanford\PC-Leland\pcleland.exe
C:\Program Files\Stanford\PC-Leland\krbcc32s.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Stanford\PC-AFS\Client\Program\afsd_service.exe
C:\Documents and Settings\Vineet\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC-Leland.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O19 - User stylesheet: C:\WINDOWS\default.css
Register for free to hide this ad!
versus's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2003
01-Jul-2003, 01:53 AM #17
aha! i see it. All those lines which start with R1 HKLM and HKCU, all have the same url listed in them which takes me to the same page.

But what do i do? i guess its one thing for me to find the lines, but now....
TonyKlein's Avatar
Malware Removal Specialist with 10,514 posts.
  
Join Date: Aug 2001
Location: The Netherlands
01-Jul-2003, 02:04 AM #18
This is what you need to do:

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%31%30%31
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm

O1 - Hosts: 1123694712 auto.search.msn.com

O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe

O19 - User stylesheet: C:\WINDOWS\default.css



After rebooting, delete:

C:\WINDOWS\System32\bootconf.exe
C:\WINDOWS\default.css

That's it!

Cheers,
__________________
Tony < - > CLSID List - A Collection of Autostart Locations
versus's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2003
01-Jul-2003, 02:12 AM #19
ok. WILCO, and revert. thanks.
versus's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2003
01-Jul-2003, 02:17 AM #20
Great. it worked. The default page has gone. but do i still need to delete the two files? or can i leave them there?
Loup's Avatar
Junior Member with 3 posts.
  
Join Date: Jul 2003
01-Jul-2003, 02:52 AM #21
same problem
I'm having the same problem, after reading the posts here I think I can figure out which things to delete but I wanted to post here to make sure.

Here is a copy of my HyjackThis! log:

Logfile of HijackThis v1.95.0
Scan saved at 12:49:35 AM, on 7/1/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\FarStone\GameDrive\VDTask.exe
C:\WINNT\vcdplayx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
D:\Program Files\tclock\tclock.exe
D:\Program Files\America Online 8.0\aol.exe
D:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\konnat\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%39%34%37%35%33%39%20%20about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirtualDrive] "D:\Program Files\FarStone\GameDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINNT\vcdplayx.exe"
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: TClock.lnk = D:\Program Files\tclock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINNT\default.css


also I noticed that it seems to add http://*.coolwwwsearch.com and http://*.msn.com to the list of trusted sites. If I remove them and restart my computer they reappear.

Thanks for any help
TonyKlein's Avatar
Malware Removal Specialist with 10,514 posts.
  
Join Date: Aug 2001
Location: The Netherlands
01-Jul-2003, 06:52 AM #22
Why would you want to leave them there? They're no Windows files, but belong to/were created by your hijacker.
versus's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2003
01-Jul-2003, 02:34 PM #23
ah?
Ok. got it. Thanks a ton. Was just wondering.
TonyKlein's Avatar
Malware Removal Specialist with 10,514 posts.
  
Join Date: Aug 2001
Location: The Netherlands
01-Jul-2003, 03:55 PM #24
No prob!
Drew_at_home's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2003
01-Jul-2003, 10:57 PM #25
Unhappy Coolwwwsearch problems too
I too have been plagued with that vicious virus. I won't presume I have all the same files/problems as Cathy - have tried several attemptsw to clear the registry obviously missing something -
Below is my hijackThis log file -
What next???
Logfile of HijackThis v1.95.0
Scan saved at 7:46:07 PM, on 01/07/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cool Search\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37 about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.mysask.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.mysask.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [Corel Corporation Registration] "C:\Program Files\Corel\WordPerfect Office 2002\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\WordPerfect Office 2002\Register\NavLoad.ini"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Global Startup: Network Device Switch.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...698.4255208333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O19 - User stylesheet: C:\WINDOWS\default.css

Thanks
Drew
Top Banana's Avatar
Senior Member with 1,344 posts.
  
Join Date: Nov 2002
01-Jul-2003, 11:25 PM #26
Scan with HijackThis, put a checkmark at and "Fix checked" the following entries. Close all windows except for HijackThis before fixing.

All R1 and R0 entries apart from

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.mysask.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.mysask.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm

Also "Fix checked"

R3 - Default URLSearchHook is missing
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
O19 - User stylesheet: C:\WINDOWS\default.css

Restart your computer and delete

bootconf.exe
default.css
Loup's Avatar
Junior Member with 3 posts.
  
Join Date: Jul 2003
02-Jul-2003, 01:07 AM #27
well I got rid of everything that I thought I was supposed to get rid of for this but I'm still ending up with the search assistant one. I have run Spybot as well as ad-aware and AVG and havn't found anything that looks like it could be causing this. I'll post my newest Hijack This log, any help anyone can give would be greatly appreciated

Logfile of HijackThis v1.95.0
Scan saved at 11:09:01 PM, on 7/1/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\FarStone\GameDrive\VDTask.exe
C:\WINNT\vcdplayx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
D:\Program Files\tclock\tclock.exe
D:\Program Files\America Online 8.0\aol.exe
D:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\konnat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.slashdot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%39%34%37%35%33%39
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VirtualDrive] "D:\Program Files\FarStone\GameDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINNT\vcdplayx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: TClock.lnk = D:\Program Files\tclock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Drew_at_home's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2003
02-Jul-2003, 04:42 AM #28
Talking Top Banana - it worked
Top Banana -
The fix worked great - but I did have to go through it about 4 times - each reboot produced fewer problem areas until I was left with an "about blank" home page - which was easy to fix.
Don't know why I had to do it more than once - could it be I didn't realize that your instructions were 1 step - the instruction was pretty clear - you said "also" fix checked, but being a guy, I figured you meant "then" (after the the reboot).
Thanks again, great website .... Know where to go now for help.
Drew
spasscal's Avatar
Junior Member with 2 posts.
  
Join Date: Jul 2003
02-Jul-2003, 05:25 AM #29
it seems, that I have the same problems. could someone tell me, which items I have to delete? thanks a lot!!!

Logfile of HijackThis v1.95.0
Scan saved at 10:06:46, on 02.07.2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAMME\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\DELL\ACCESSDIRECT\DADAPP.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAMME\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\AUCBPNP.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAMME\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37 about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Pascal Defuns
F1 - win.ini: run=hpfsched
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [DadApp] C:\Programme\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programme\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AUCBPNP] C:\WINDOWS\SYSTEM\aucbpnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\SYSTEM\bootconf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programme\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programme\Gemeinsame Dateien\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: WinPPPoverEthernet.lnk = C:\Programme\WinPoet\WinPPPoverEthernet.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://www.tevi-net.de/SiteRoots/mai...Downloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = unisg.ch
O19 - User stylesheet: C:\WINDOWS\default.css
Metallica's Avatar
Malware Removal Specialist with 692 posts.
  
Join Date: Jan 2003
02-Jul-2003, 08:41 AM #30
Hi spasscal,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37 about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\SYSTEM\bootconf.exe
O19 - User stylesheet: C:\WINDOWS\default.css

Reboot after doing so.

Regards,

Pieter
__________________
I´m madly in Anger with spyware.
MS MVP Consumer Security
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 12 1 2 345 Last »

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 05:26 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.