1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! Getting my butt kicked!

Discussion in 'Virus & Other Malware Removal' started by jaguar_wsc, Apr 27, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jaguar_wsc

    jaguar_wsc Thread Starter

    Joined:
    Feb 18, 2004
    Messages:
    68
    Ok ive been getting my butt kicked for the past few day with the about:blank plaugue that i cant beat. now im screwed with a proxy malware that screws with things i click on in IE and points it link sites and other crap sites. Even though i fix the items that shouldnt be there... they all return. here is the logfile. please help. ive used alot of advice here and had alot of success. i have all the latest updates for cws, spybot S&D, spyware blaster, and adaware. None of them fixes my problems. I even restart after fixing and have the same problem. if someone can help i would really appreciate it. thanks



    Logfile of HijackThis v1.97.7
    Scan saved at 5:10:52 AM, on 4/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe
    C:\WINDOWS\runwin32.exe
    C:\WINDOWS\wininet32.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe" -minimized
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    Things in bold are the items that i fix but just come back. :mad:
     
  2. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Ok. Please do the following & we will see if we can get it sorted for you.
    Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL windows, including IE, before running CWShredder.

    To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

    Reboot after doing this & post another log please.


    If they come back do it again in safe mode. This IS a CWS infection. Make sure only CWShredder is running when you fix the entries.
     
  3. jaguar_wsc

    jaguar_wsc Thread Starter

    Joined:
    Feb 18, 2004
    Messages:
    68
    ok thanks alot man! it worked good at getting rid of the about:blank problem. but the proxy over ride and that other proxy thing is still there and returns after every reboot. heres a new log

    Logfile of HijackThis v1.97.7
    Scan saved at 8:27:06 AM, on 4/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\runwin32.exe
    C:\WINDOWS\wininet32.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    I think those entries are legitimate, they are probably related to you ISP. your log looks clean, wait and see what others have to say. Is your computer running better now?

    khaz
     
  5. jaguar_wsc

    jaguar_wsc Thread Starter

    Joined:
    Feb 18, 2004
    Messages:
    68
    no those entries are malicious. whenever i fix those entries, my browser works like normal. but after reboot, the same proxy override entries are there and causes my browser to screw up again.
     
  6. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, you need to get an anti -virus programmes and a firewall.

    do an online scan at2 of these


    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    make sure autoclean is enabled on the scans


    have hijack this fix these

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

    free anti-virus tools

    AVG6 from

    www.grisoft.com

    Avast 4 from

    www.avast.com

    free firewalls are

    www.zonelarm.com

    www.kerio.com

    www.sygate.com

    khaz
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\WINDOWS\runwin32.exe file
    The C:\WINDOWS\wininet32.exe file


    Empty the Recycle Bin.


    After deleting those files go to Control panel > Internet Options and click on the Connections tab then click on the "LAN Settings" button. Remove the check by "Use a Proxy Server for your LAN".. Click OK then Apply and OK.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224249

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice