Help.....can't get to google

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wnt2binkauai

Thread Starter
Joined
Sep 23, 2003
Messages
48
I think something is on my computer but I'm not sure what it is. When I try to go to google, I get the following message:

"Are you trying to get to Google?
Your computer is running software that doesn’t allow you to use Google.
You’re seeing this page because your computer is trying to send you to a website that is pretending to be Google. Over the past few weeks, you may have seen a website that looks like Google, but launches pop-up windows and does not work like Google. That page is not affiliated with Google in any way and is intended to deceive you.

Why is this happening?
Most likely a program was installed on your computer automatically and without your knowledge when you downloaded an otherwise harmless piece of software. Or you may have been tricked into clicking on a disguised download button while visiting a website.

What can I do about it?
This problem can be fixed fairly easily, but will require that you make changes in a file that is part of your computer’s operating system. You should always be cautious when making these kinds of adjustments, as they may affect the performance of your computer. If you are not comfortable doing this yourself, you may want to print out this page and show it to someone whose technical knowledge you trust.

What steps do I take?
The first step is to remove the entry for Google from your hosts file. This entry is telling your computer where to send your computer instead of to Google.

In Windows, open the Notepad program. You can do this by going to the Start menu in the lower left of your screen, selecting “Programs,” then “Accessories,” then “Notepad.”

In the Notepad menu, click on “File,” then “Open.” You will see a new window asking which file to open. You may need to change "Files of type" to "All Files" instead of "Text Documents". The actual file to open is listed below:

If your computer is running Windows XP, Window NT, or Windows 2000, the file is located in the folder found by following this path:

My Computer >Local Disk(C) >Windows >System32 >Drivers >etc >hosts

If your computer is running Windows 98, Second Edition or Windows ME, the file is located in the folder found by following this path:

My Computer >Local Disk(C) >Windows >hosts

Once you have opened this file, remove entirely any line of text that contains “google.com”, “www.google.com” or other Google domains (such as “google.co.uk”). To remove the text, highlight it by dragging your pointer across the line while holding down the mouse button. Once the text is highlighted, hit the Backspace or Delete button, then save the file by going to the File menu and clicking “Save.” You can now exit Notepad.

What else can I do?
You might want to try software that attempts to detect and uninstall programs like this one. While we do not have a relationship with anyone who offers this software and we cannot endorse a particular product, the most popular programs for doing this seem to be Spybot Search and Destroy and LavaSoft's AdAware. The particular program affecting your computer is relatively new, so these products might not be able to detect and repair this type of problem yet.

The next step is to learn more. You can visit http://www.doxdesk.com/parasite/ to review information about a number of known self-installing software programs. Several articles on the web may be helpful, such as

· http://www.theage.com.au/articles/2003/04/14/1050172507212.html
· http://news.com.com/2100-1023-877568.html
· http://news.com.com/2100-1023-257592.html

Investigate individual programs using search engines. Try keywords such as "spyware," "scumware," and "adware."
Once you’re informed, take action. Help your family and friends avoid these annoying programs. If you can find the site that installed this software on your computer, let them know how you feel about it. You might also want to track down companies that benefit from having your web visits redirected, and share your feelings with them.

Finally, it's quick and easy to file a complaint with the Federal Trade Commission (FTC). This U.S. government agency handles complaints about deceptive or unfair business practices. To file a complaint, visit: http://www.ftc.gov/ and click on "File a Complaint Online", or call 1-877-FTC-HELP. Or write to:

Federal Trade Commission
CRC-240
Washington, D.C. 20580

If your complaint is against a company in another country, you can file it at http://www.econsumer.gov/. "

I tried to do what it says, but I couldn't see the Hosts in the Windows folder. Any help would be greatly appreciated. Thanks.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
Do it the easy way


go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

wnt2binkauai

Thread Starter
Joined
Sep 23, 2003
Messages
48
Thanks. I think I have a lot of junk. here it is:

Logfile of HijackThis v1.97.2
Scan saved at 6:20:18 AM, on 9/24/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CCPM_0237.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thewmurchannel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?s=searchicon&c=2C01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 ca.search.msn.com
O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com
O1 - Hosts: 64.191.95.139 search.fr.msn.be
O1 - Hosts: 64.191.95.139 search.fr.msn.ch
O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com
O1 - Hosts: 64.191.95.139 search.msn.at
O1 - Hosts: 64.191.95.139 search.msn.be
O1 - Hosts: 64.191.95.139 search.msn.ch
O1 - Hosts: 64.191.95.139 search.msn.co.in
O1 - Hosts: 64.191.95.139 search.msn.co.jp
O1 - Hosts: 64.191.95.139 search.msn.co.kr
O1 - Hosts: 64.191.95.139 search.msn.com.br
O1 - Hosts: 64.191.95.139 search.msn.com.hk
O1 - Hosts: 64.191.95.139 search.msn.com.my
O1 - Hosts: 64.191.95.139 search.msn.com.sg
O1 - Hosts: 64.191.95.139 search.msn.com.tw
O1 - Hosts: 64.191.95.139 search.msn.co.za
O1 - Hosts: 64.191.95.139 search.msn.de
O1 - Hosts: 64.191.95.139 search.msn.dk
O1 - Hosts: 64.191.95.139 search.msn.es
O1 - Hosts: 64.191.95.139 search.msn.fi
O1 - Hosts: 64.191.95.139 search.msn.fr
O1 - Hosts: 64.191.95.139 search.msn.it
O1 - Hosts: 64.191.95.139 search.msn.nl
O1 - Hosts: 64.191.95.139 search.msn.no
O1 - Hosts: 64.191.95.139 search.msn.se
O1 - Hosts: 64.191.95.139 search.ninemsn.com.au
O1 - Hosts: 64.191.95.139 search.t1msn.com.mx
O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz
O1 - Hosts: 64.191.95.139 search.yupimsn.com
O1 - Hosts: 64.191.95.139 uk.search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O1 - Hosts: 64.191.95.139 google.pl
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.75.222.51/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orbiter11020/winorbiter.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://128.171.15.137:8000/wfplayer/tdserver.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/ea/needforspeed/install.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www102.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.hiltonwaikoloavillage.com/04-experiencenow/webcam/camera.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://web14.compaq.com/falco/SysQuery.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E056E5AD-F719-11D2-971E-00902717B179} (bookonweb.docBook) - http://cciw.com/np4/book/pages/BookOnWeb.CAB
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www113.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6549A570-A17C-466B-B160-D6C10FE9261F} (EPIC Coupon Control) - http://216.24.232.130/ActiveX/EpicCouponStg.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {330110A5-F627-4DD7-B0F1-24D09C4DA870} (CouponsIncIECtl1 Class) - http://a19.g.akamai.net/7/19/7125/1404/ftp.coupons.com/v7/cpnsie1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1059130728680
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {345CA9DC-1600-4CD2-BFCF-7B57DD1A32DA} (NeoworkInstall Control) - http://easyinstall.icons.com.ne.kr/easyinstall/ocx/ver1003/NeoworkInstall.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/...C01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 ca.search.msn.com
O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com
O1 - Hosts: 64.191.95.139 search.fr.msn.be
O1 - Hosts: 64.191.95.139 search.fr.msn.ch
O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com
O1 - Hosts: 64.191.95.139 search.msn.at
O1 - Hosts: 64.191.95.139 search.msn.be
O1 - Hosts: 64.191.95.139 search.msn.ch
O1 - Hosts: 64.191.95.139 search.msn.co.in
O1 - Hosts: 64.191.95.139 search.msn.co.jp
O1 - Hosts: 64.191.95.139 search.msn.co.kr
O1 - Hosts: 64.191.95.139 search.msn.com.br
O1 - Hosts: 64.191.95.139 search.msn.com.hk
O1 - Hosts: 64.191.95.139 search.msn.com.my
O1 - Hosts: 64.191.95.139 search.msn.com.sg
O1 - Hosts: 64.191.95.139 search.msn.com.tw
O1 - Hosts: 64.191.95.139 search.msn.co.za
O1 - Hosts: 64.191.95.139 search.msn.de
O1 - Hosts: 64.191.95.139 search.msn.dk
O1 - Hosts: 64.191.95.139 search.msn.es
O1 - Hosts: 64.191.95.139 search.msn.fi
O1 - Hosts: 64.191.95.139 search.msn.fr
O1 - Hosts: 64.191.95.139 search.msn.it
O1 - Hosts: 64.191.95.139 search.msn.nl
O1 - Hosts: 64.191.95.139 search.msn.no
O1 - Hosts: 64.191.95.139 search.msn.se
O1 - Hosts: 64.191.95.139 search.ninemsn.com.au
O1 - Hosts: 64.191.95.139 search.t1msn.com.mx
O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz
O1 - Hosts: 64.191.95.139 search.yupimsn.com
O1 - Hosts: 64.191.95.139 uk.search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O1 - Hosts: 64.191.95.139 google.pl



then

download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then
Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.


then post a new hijackthis log to check what is left

you really want to review all your O16 dpf entries and delete any that are not from MIcrosoft, macromedia or other legitimate bodies
 

wnt2binkauai

Thread Starter
Joined
Sep 23, 2003
Messages
48
Thanks! I've done all that you've suggested. Here's my new Hijack log:
Logfile of HijackThis v1.97.2
Scan saved at 12:30:08 PM, on 9/24/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thewmurchannel.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.75.222.51/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orbiter11020/winorbiter.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://128.171.15.137:8000/wfplayer/tdserver.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/ea/needforspeed/install.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www102.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.hiltonwaikoloavillage.com/04-experiencenow/webcam/camera.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://web14.compaq.com/falco/SysQuery.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E056E5AD-F719-11D2-971E-00902717B179} (bookonweb.docBook) - http://cciw.com/np4/book/pages/BookOnWeb.CAB
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {6549A570-A17C-466B-B160-D6C10FE9261F} (EPIC Coupon Control) - http://216.24.232.130/ActiveX/EpicCouponStg.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {330110A5-F627-4DD7-B0F1-24D09C4DA870} (CouponsIncIECtl1 Class) - http://a19.g.akamai.net/7/19/7125/1404/ftp.coupons.com/v7/cpnsie1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1059130728680
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {345CA9DC-1600-4CD2-BFCF-7B57DD1A32DA} (NeoworkInstall Control) - http://easyinstall.icons.com.ne.kr/easyinstall/ocx/ver1003/NeoworkInstall.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab

What do they 016DPF mean? Any suggestions on what I should get rid of? Thanks for all your help.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
i would get rid of all these below using hijackthis. if any legitimate program needs them again then they will prompt for a fresh download.

run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork..../winorbiter.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://128.171.15.137:8000/wfplayer/tdserver.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab

O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/c...py/iesnoopy.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...eed/install.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/c...trap/iegils.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www102.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.hiltonwaikoloavillage.co...bcam/camera.cab

O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/act.../karaokeCom.ocx
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/020301...everContent.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E056E5AD-F719-11D2-971E-00902717B179} (bookonweb.docBook) - http://cciw.com/np4/book/pages/BookOnWeb.CAB
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/in...ActXInstall.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1...com/brxpdf5.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3...r31/brix6ie.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/gam...nts/y/zt3_x.cab
O16 - DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} (LSICapture Control) - http://www.link-systems.com/~sdk/SDK/paste/lsiw9x.cab
O16 - DPF: {6549A570-A17C-466B-B160-D6C10FE9261F} (EPIC Coupon Control) - http://216.24.232.130/ActiveX/EpicCouponStg.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/...torLauncher.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {330110A5-F627-4DD7-B0F1-24D09C4DA870} (CouponsIncIECtl1 Class) - http://a19.g.akamai.net/7/19/7125/1.../v7/cpnsie1.cab

O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://ftp.coupons.com/r3120/cpbrxpie.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {345CA9DC-1600-4CD2-BFCF-7B57DD1A32DA} (NeoworkInstall Control) - http://easyinstall.icons.com.ne.kr/...workInstall.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
 
Joined
Sep 24, 2003
Messages
4
PLEASE HELP ME DVK01 , I CANNOT FIX THIS MYSELF, too expensive, if I follow your directions (HIJACK) and get the log, will you help me get rid of the friggin thing PLEASE!!!!!!
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
alice

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results
 
Joined
Sep 24, 2003
Messages
4
Thanks Derek!
I will do it tonight, after work, I already have Hijack this and Adaware. I will do Hijack This Scan Tonight and post results.
Are you in England, if so where? I live in US, but my gramma is from Liverpool.
Alice
 
Joined
Sep 24, 2003
Messages
4
I believe the GOOGLE SPYWARE CAME FROM COOLSEARCH.com
I REMEMBER USING THIS SEARCH, and then This FAKE GOOGLE APPEARED.

BEWARE OF www.COOL SEARCH --SEARCH UTILITY
 
Joined
Sep 24, 2003
Messages
4
Hi, I am so-------Aggravated....Please Help.......Look at this Hijack This File and tell me what is safe to delete. THANK YOU!!! Alice
Computer is now extremely slow, Browser was attacked by FAKE GOOGLE almost 2 weeks ago
Logfile of HijackThis v1.97.2
Scan saved at 9:10:51 PM, on 9/25/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\ZTV2E0\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sassieshop.com/2mystique/shoppers/shopperlogout.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPAL~1\FpLaunch.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PP5300usb] C:\PAPRPORT\FBDirect.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Reboot.exe
O4 - Startup: PaperPort OneTouch.lnk = C:\PAPRPORT\FBDirect.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt503/us/win/QuickTimeInstaller.exe
O16 - DPF: {D4A31C0A-7C73-4702-9EFF-4F98DD229A23} - http://server2.myesp.com/toolbar2/myband.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37589.5605439815

 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sassieshop.com/2mystique...opperlogout.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.highstream.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...amp;ar=iesearch
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (file missing)
O4 - Startup: Reboot.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D4A31C0A-7C73-4702-9EFF-4F98DD229A23} - http://server2.myesp.com/toolbar2/myband.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab


then
download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then
Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.


then post a new hijackthis log to check what is left
 
Joined
Sep 24, 2003
Messages
4
Derek, what about the www.google.com/ie (IN MY LOG ABOVE)Should that be checked to fix also. I usually use MSN SEARCH, and recently I deleted the yahoo companion bar. I should not have any Google on my computer at all! You have the www.highstream Also for me to check, THIS IS MY INTERNET SERVICE PROVIDER, I don't think that needs fixing. I have Adaware already and will post more tonight. I really appreciate all your Help with This, THANKS
ALICE (USA) GEORGIA
 
Joined
Sep 26, 2003
Messages
2
I have been trying all kinds of goofy things in Win2K Pro to get my internet working. The problem was that I could not access certain sites like MSNBC and others. I looked at the
c:\windows\system32\drivers hosts file in Notepad and deleted the contents. Of course I saved a back up, and VOILA I can see all the sites I was unable to get to ... WOW!
Learning everyday ... thanks for the tip!!! (y) (y) :D
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top