Browser Hijack...2020 search

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

G8r

Thread Starter
Joined
Jul 11, 2004
Messages
1
I'm trying to help a friend with a browser hijacking problem. When searching it always ends up with "2020 search". She has run CWshredder, Adaware, and Spybot S&D to no avail. Below is a log from Hijack this.

Any suggestions?

Logfile of HijackThis v1.98.0
Scan saved at 2:15:15 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ehmhtih.exe
C:\documents and settings\ridgill\local settings\temp\QsJ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\BELLSO~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\javaw.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Ridgill\Local Settings\Temp\Temporary Directory
1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gospelcom.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6A620965-A0F0-D550-2DAC-3E9EAAEAF8B9} - C:\WINDOWS\System32\aiwjtson.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: jimmyhelp.CBrowserHelper - {B2B3DCCB-C5FA-4352-83A7-38B68FFA56B7} - C:\WINDOWS\jigwvwt.dll
O2 - BHO: (no name) - {B755D689-B282-C660-21B0-D83FF91D29A2} - C:\WINDOWS\System32\lusyakgi.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {C718AAF8-FFC3-9AE8-9E2A-0F59999B303D} - C:\WINDOWS\System32\zauovcuf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [rrsankqh] C:\WINDOWS\ogrfytul.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></HTML>
O4 - HKLM\..\Run: [<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection
Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services.
If the problem still persists, please contact our technical support at (850)362-4310.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services. If the problem still persists, please contact our technical support at (850)362-4310.</BODY></HTML>
O4 - HKLM\..\Run: [bdzyvj] C:\WINDOWS\ehmhtih.exe
O4 - HKLM\..\Run: [eqnfko] C:\WINDOWS\wetysus.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QsJ.exe] C:\documents and settings\ridgill\local settings\temp\QsJ.exe
O4 - HKLM\..\Run: [3FFDGFR2T8S53B] C:\WINDOWS\System32\Nwvd1.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [t79W3ml] mapatext.exe
O4 - HKLM\..\Run: [czziars] C:\WINDOWS\geledw.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></HTML>
O4 - HKCU\..\Run: [<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection
Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services.
If the problem still persists, please contact our technical support at (850)362-4310.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services. If the problem still persists, please contact our technical support at (850)362-4310.</BODY></HTML>
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} (AdInstaller Control) - http://www.movies.net.cn/digital/AdInstaller.ocx
O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
 
Joined
Jul 26, 2002
Messages
46,331
Hi G8r

Welcome to TSG! :)

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6A620965-A0F0-D550-2DAC-3E9EAAEAF8B9} - C:\WINDOWS\System32\aiwjtson.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O2 - BHO: jimmyhelp.CBrowserHelper - {B2B3DCCB-C5FA-4352-83A7-38B68FFA56B7} - C:\WINDOWS\jigwvwt.dll

O2 - BHO: (no name) - {B755D689-B282-C660-21B0-D83FF91D29A2} - C:\WINDOWS\System32\lusyakgi.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: (no name) - {C718AAF8-FFC3-9AE8-9E2A-0F59999B303D} - C:\WINDOWS\System32\zauovcuf.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></HTML>

O4 - HKLM\..\Run: [<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection
Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services.
If the problem still persists, please contact our technical support at (850)362-4310.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services. If the problem still persists, please contact our technical support at (850)362-4310.</BODY></HTML>

O4 - HKLM\..\Run: [bdzyvj] C:\WINDOWS\ehmhtih.exe

O4 - HKLM\..\Run: [eqnfko] C:\WINDOWS\wetysus.exe

O4 - HKLM\..\Run: [QsJ.exe] C:\documents and settings\ridgill\local settings\temp\QsJ.exe

O4 - HKLM\..\Run: [3FFDGFR2T8S53B] C:\WINDOWS\System32\Nwvd1.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [t79W3ml] mapatext.exe

O4 - HKLM\..\Run: [czziars] C:\WINDOWS\geledw.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Filter Server Not Available</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Filter Server is not available!</H2>Due
to a rare network event, your Internet Protection Services are temporarily unavailable. The services will resume shortly. We apologize for the inconvenience. Thank you for your patience.</BODY></HTML>

O4 - HKCU\..\Run: [<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure Internet Protection
Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services.
If the problem still persists, please contact our technical support at (850)362-4310.</BODY></H] c:\WINDOWS\System32\<HTML><HEAD><TITLE>Services Not Running</TITLE><META HTTP-EQUIV="expires" CONTENT="-1"><META HTTP-EQUIV="pragma" CONTENT="no-cache"></HEAD><BODY><BR><H1>Bsecure
Internet Protection Services v.4.1</H1><H2>Services are not running!</H2>Please reboot your system. If you continue to get this error, please reinstall the Protection Services. If the problem still persists, please contact our technical support at (850)362-4310.</BODY></HTML>

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

O16 - DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} (AdInstaller Control) - http://www.movies.net.cn/digital/AdInstaller.ocx

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\geledw.exe
C:\WINDOWS\ehmhtih.exe
C:\WINDOWS\wetysus.exe
C:\WINDOWS\ogrfytul.exe
c:\WINDOWS\System32\zzb.exe
C:\WINDOWS\System32\Nwvd1.exe
C:\WINDOWS\System32\dp-him.exe
c:\WINDOWS\System32\zzb.exe

Do a file search for mapatext.exe and delete it.

Delete these folders:

C:\WINDOWS\System32\P2P Networking
C:\Program Files\Common files\WinTools

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\ridgill\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


Empty the Recycle Bin
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top