1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Highjacked with http:///?%20.........

Discussion in 'Virus & Other Malware Removal' started by gusg, Sep 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. gusg

    gusg Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    14
    I am running win ME
    when I typed in a web address, it goes to
    http:///? .........and then page cannot be displayed,
    even the home page
    ran HJT and received this log

    Logfile of HijackThis v1.98.2
    Scan saved at 2:28:39 PM, on 18/09/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.crooder.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\PRIMED~1\PRIMED~1.PAC
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [24ALB6334SC#6A] C:\WINDOWS\SYSTEM\PlsO0A54.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UPDATE] C:\WINDOWS\TEMP\UPDATE.EXE
    O4 - HKLM\..\Run: [NKR] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [EZX] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [Z7HZHG] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [SZHAN] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [BT95] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [XSTS] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [bul] C:\WINDOWS\bul.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [T3GM9HORC] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [8VW21B] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [5PYS6] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [LR] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [ONXTUJDE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [tgpgv] C:\WINDOWS\tgpgv.exe
    O4 - HKLM\..\Run: [jirapmn] C:\WINDOWS\jirapmn.exe
    O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [NKR.EXE] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [BT95.EXE] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [EZX.EXE] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [T3GM9HORC.EXE] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [5PYS6.EXE] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [8VW21B.EXE] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [XSTS.EXE] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [ONXTUJDE.EXE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [SZHAN.EXE] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [LR.EXE] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [Z7HZHG.EXE] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4.EXE] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\Run: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\Run: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\RunServices: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\RunServices: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\RunServices: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\RunServices: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\RunServices: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - Startup: folder.htt
    O4 - Global Startup: folder.htt
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O10 - Broken Internet access because of LSP provider 'c:\windows\system\lspak.dll' missing

    ran adaware 6, can't download latest version yet
    no wb pages showing

    anyone recognize anything from this log
    any help would be greatly appreciated

    gusg
     
  2. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Download CWShredder from here:

    http://www.downloads.subratam.org/CWShredder.exe

    Save it to your desktop, but <b>do not</b> run it yet!

    Your system is infected by a trojan known as Sandboxer/Peper.

    Please download PeperFix.exe from here:

    http://downloads.subratam.org/PeperFix.exe

    These tools are most effective when they are run in Safe Mode.

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A black and white menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Once in Safe Mode, run PeperFix.exe, and click Find and Fix twice. It should find all files related to the trojan and fix them.

    Then run CWShredder. Be sure to click Fix instead of Scan Only. It should find some things and remove them.

    Then reboot as you normally would.

    Run this free online virus scan by TrendMicro:

    http://housecall.trendmicro.com/

    Visit this link to learn to configure Spybot Search & Destroy correctly:

    http://www.bleepingcomputer.com/forums/index.php?showtutorial=43

    When you have completed all the above steps, you should restart and post a new HijackThis log.
     
  3. gusg

    gusg Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    14
    Thanks LINEOFIRE for your help
    sorry for taking so long to get back
    I did all your suggestions except

    <Run this free online virus scan by TrendMicro:

    http://housecall.trendmicro.com/>

    because I still could not get pages
    ran adaware se and it was having trouble deleting the malware
    picked up 108 on the first scan
    then 99 and 87 on the next two
    when it shows "page cannot be displayed"
    the task bar shows
    "downloading res://C/windowssystemSHDOCLC.DLL...DNS error.htm"
    also getting "MS Script control: unknown error" on boot up

    did another HJT scan as you suggested and received

    Logfile of HijackThis v1.98.2
    Scan saved at 2:15:06 PM, on 21/09/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\TEMP\T3GM9HORC.EXE
    C:\WINDOWS\TEMP\8VW21B.EXE
    C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    C:\WINDOWS\TEMP\5PYS6.EXE
    C:\WINDOWS\TEMP\LR.EXE
    C:\WINDOWS\TEMP\ONXTUJDE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
    C:\WINDOWS\TEMP\T3GM9HORC.EXE
    C:\WINDOWS\TEMP\5PYS6.EXE
    C:\WINDOWS\TEMP\8VW21B.EXE
    C:\WINDOWS\TEMP\ONXTUJDE.EXE
    C:\WINDOWS\TEMP\LR.EXE
    C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\PRIMED~1\PRIMED~1.PAC
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [24ALB6334SC#6A] C:\WINDOWS\SYSTEM\LsxI52.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [bul] C:\WINDOWS\bul.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [T3GM9HORC] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [8VW21B] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [5PYS6] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [LR] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [ONXTUJDE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [tgpgv] C:\WINDOWS\tgpgv.exe
    O4 - HKLM\..\Run: [jirapmn] C:\WINDOWS\jirapmn.exe
    O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [NKR.EXE] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [T3GM9HORC.EXE] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [5PYS6.EXE] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [8VW21B.EXE] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [ONXTUJDE.EXE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [LR.EXE] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4.EXE] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [UPDATE] C:\WINDOWS\TEMP\UPDATE.EXE
    O4 - HKLM\..\Run: [NKR] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [EZX] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [Z7HZHG] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [SZHAN] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [BT95] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [XSTS] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [BT95.EXE] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [EZX.EXE] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [XSTS.EXE] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [SZHAN.EXE] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [Z7HZHG.EXE] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\Run: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\Run: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\RunServices: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\RunServices: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\RunServices: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\RunServices: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\RunServices: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: folder.htt
    O4 - Global Startup: folder.htt
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O10 - Broken Internet access because of LSP provider 'c:\windows\system\lspak.dll' missing

    I can also give you a list of programs running in crtl-alt-del
    if you need it

    Thanks again for your patience
    gusg
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download the removal tool from http://www.memorywatcher.com/uninst.exe & let it do it's thing. Note that you must be online when you run the tool for it to be effective.

    Restart in Safe Mode

    Empty C:\WINDOWS\TEMP



    Reboot and post another log.
     
  5. gusg

    gusg Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    14
    Thanks cybertech for your advice
    much appreciated

    I did the tasks that you requested
    and here is the new log

    Logfile of HijackThis v1.98.2
    Scan saved at 1:56:33 PM, on 23/09/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\PRIMED~1\PRIMED~1.PAC
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [24ALB6334SC#6A] C:\WINDOWS\SYSTEM\LsxI52.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [bul] C:\WINDOWS\bul.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [T3GM9HORC] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [8VW21B] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [5PYS6] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [LR] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [ONXTUJDE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [tgpgv] C:\WINDOWS\tgpgv.exe
    O4 - HKLM\..\Run: [jirapmn] C:\WINDOWS\jirapmn.exe
    O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [NKR.EXE] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [T3GM9HORC.EXE] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [5PYS6.EXE] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [8VW21B.EXE] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [ONXTUJDE.EXE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [LR.EXE] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4.EXE] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [UPDATE] C:\WINDOWS\TEMP\UPDATE.EXE
    O4 - HKLM\..\Run: [NKR] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [EZX] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [Z7HZHG] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [SZHAN] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [BT95] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [XSTS] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [BT95.EXE] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [EZX.EXE] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [XSTS.EXE] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [SZHAN.EXE] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [Z7HZHG.EXE] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\Run: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\Run: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\RunServices: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\RunServices: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\RunServices: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\RunServices: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\RunServices: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: folder.htt
    O4 - Global Startup: folder.htt
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O10 - Broken Internet access because of LSP provider 'c:\windows\system\lspak.dll' missing

    also did another adaware scan and removed 78 items
    with no problem this time
    did a second scan nothing showed

    still not able to get web pages
    noticed on the hjt log the last item
    about O10 - Broken Internet access because of LSP provider 'c:\windows\system\lspak.dll' missing

    did a search for this file <not found>
    would it be an advantage to download this file

    Thanks again for your help
    gusg
     
  6. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Download LSPFix from here:

    http://www.cexx.org/LSPFix.exe

    Check the I know what I'm doing box.
    In the Keep box you should see one or more instances of lspak.dll.
    Select every instance of lspak.dll and move it to the Remove box by clicking the >> button.
    When you are done click Finish>>.

    You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Please close all browsers and windows and have HijackThis fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.crooder.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O4 - HKLM\..\Run: [24ALB6334SC#6A] C:\WINDOWS\SYSTEM\PlsO0A54.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    O4 - HKLM\..\Run: [UPDATE] C:\WINDOWS\TEMP\UPDATE.EXE
    O4 - HKLM\..\Run: [NKR] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [EZX] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [Z7HZHG] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [SZHAN] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [BT95] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [XSTS] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [bul] C:\WINDOWS\bul.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [T3GM9HORC] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [8VW21B] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\Run: [5PYS6] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [LR] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [ONXTUJDE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [tgpgv] C:\WINDOWS\tgpgv.exe
    O4 - HKLM\..\Run: [jirapmn] C:\WINDOWS\jirapmn.exe
    O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [NKR.EXE] C:\WINDOWS\TEMP\NKR.EXE
    O4 - HKLM\..\Run: [BT95.EXE] C:\WINDOWS\TEMP\BT95.EXE
    O4 - HKLM\..\Run: [EZX.EXE] C:\WINDOWS\TEMP\EZX.EXE
    O4 - HKLM\..\Run: [T3GM9HORC.EXE] C:\WINDOWS\TEMP\T3GM9HORC.EXE
    O4 - HKLM\..\Run: [5PYS6.EXE] C:\WINDOWS\TEMP\5PYS6.EXE
    O4 - HKLM\..\Run: [8VW21B.EXE] C:\WINDOWS\TEMP\8VW21B.EXE
    O4 - HKLM\..\Run: [XSTS.EXE] C:\WINDOWS\TEMP\XSTS.EXE
    O4 - HKLM\..\Run: [ONXTUJDE.EXE] C:\WINDOWS\TEMP\ONXTUJDE.EXE
    O4 - HKLM\..\Run: [SZHAN.EXE] C:\WINDOWS\TEMP\SZHAN.EXE
    O4 - HKLM\..\Run: [LR.EXE] C:\WINDOWS\TEMP\LR.EXE
    O4 - HKLM\..\Run: [Z7HZHG.EXE] C:\WINDOWS\TEMP\Z7HZHG.EXE
    O4 - HKLM\..\Run: [RK5FRRHT4.EXE] C:\WINDOWS\TEMP\RK5FRRHT4.EXE
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\Run: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\Run: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    O4 - HKCU\..\RunServices: [WCPT] C:\WINDOWS\SYSTEM\wintsvtr.exe
    O4 - HKCU\..\RunServices: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\RunServices: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKCU\..\RunServices: [DPLAY] C:\WINDOWS\SYSTEM\DPLAY.EXE
    O4 - HKCU\..\RunServices: [DBMSSOCN] C:\WINDOWS\SYSTEM\DBMSSOCN.EXE

    Reconfigure Windows ME to show hidden files:
    Double-click the My Computer icon on the Windows desktop.
    Select the Tools menu and click Folder Options. Select the View tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    NaviSearch
    WinTools

    Please delete these folders using Windows Explorer(if present):

    c:\installer
    C:\Program Files\NaviSearch
    C:\Program Files\Common Files\slmss
    C:\Program Files\Common Files\WinTools
    C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\aqadcup.exe
    C:\WINDOWS\bul.exe
    C:\WINDOWS\cvss.exe
    C:\WINDOWS\goidr.exe
    C:\WINDOWS\jawa32.exe
    C:\WINDOWS\jirapmn.exe
    C:\WINDOWS\tgpgv.exe
    C:\WINDOWS\SYSTEM\DBMSSOCN.EXE
    C:\WINDOWS\SYSTEM\DPLAY.EXE
    C:\WINDOWS\SYSTEM\msmc.exe
    C:\WINDOWS\SYSTEM\PlsO0A54.exe
    C:\WINDOWS\SYSTEM\wintsvtr.exe

    Start | Run | type %temp% | Delete everything in this folder!

    Now you can restart the computer normally.
    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)
     
  7. gusg

    gusg Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    14
    A thousand thanks LINEOFIRE
    I'm back on the web
    also did some preventive maintenance
    here is the last hjt log

    Logfile of HijackThis v1.98.2
    Scan saved at 2:14:39 PM, on 25/09/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\PRIMED~1\PRIMED~1.PAC
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: folder.htt
    O4 - Global Startup: folder.htt
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

    and again many,many thanks to everyone
    who contributed

    gusg
     
  8. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Not quite done yet. :)

    You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Please close all browsers and windows and have HijackThis fix these entries:

    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: folder.htt
    O4 - Global Startup: folder.htt

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    CashBack
    WebOffer

    Please delete these folders using Windows Explorer(if present):

    C:\Program Files\CashBack
    C:\Program Files\Web Offer

    Now you can restart the computer normally.
    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)
     
  9. gusg

    gusg Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    14
    thanks again for your help
    and dedication
    here is the latest hjt log

    Logfile of HijackThis v1.98.2
    Scan saved at 2:58:11 PM, on 27/09/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\PRIMED~1\PRIMED~1.PAC
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab

    everything still going good
    again many thanks

    gusg
     
  10. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Looks clean now. ;)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275787

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice