1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log & active scan log for your review

Discussion in 'Virus & Other Malware Removal' started by jp.in.vt, Sep 30, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. jp.in.vt

    jp.in.vt Thread Starter

    Joined:
    Sep 30, 2005
    Messages:
    8
    IBM 760 XL win98 1st edition
    I really like this computer, it does what I need/want it to do. so I'd like it to run better without spending too much $$ though I did spend $38.00 last night
    on PConPoint which I think worked on my registry but other "free" programs like PCRescue 3.0 and BugDoctor still find errors in a couple of .dll files and other files too.
    so if you cans get get me back up and running at 100% I'll make a donation to this site! thanks, JP

    Here's my HJT log:
    Logfile of HijackThis v1.99.1
    Scan saved at 1:17:09 PM, on 9/30/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\CRRO32.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\WPSIOMON.EXE
    C:\WINDOWS\SYSTEM\WPSCHIFX.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\TP98TRAY.EXE
    C:\WINDOWS\SYSTEM\OCBTRAY.EXE
    C:\WINDOWS\APIUH.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PILOT\HOTSYNC.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\derop.dll/sp.html#93256
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\WPSIOMON
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {F0E44A95-C75A-FBD2-EDFA-0D6EDD539C09} - C:\WINDOWS\SYSTEM\SYSTH.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\THINKPAD\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
    O4 - HKLM\..\Run: [APIUH.EXE] C:\WINDOWS\APIUH.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [CRRO32.EXE] C:\WINDOWS\SYSTEM\CRRO32.EXE /s
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: HotSync Manager.lnk = C:\pilot\HOTSYNC.EXE
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

    Here's the ActiveScan Log of "my computer":

    Incident
    Status Location

    Adware:Adware/SearchAid
    No disinfected C:\WINDOWS\SYSTEM\CRRO32.EXE
    Adware:adware/cws.homesearchasisstant
    No disinfected
    Windows Registry
    Adware:Adware/Startpage.VQ
    No disinfected C:\WINDOWS\SYSTEM\derop.dll
    Adware:Adware/SearchAid
    No disinfected C:\WINDOWS\SYSTEM\ndaa.dll
    Adware:Adware/SearchAid
    No disinfected C:\WINDOWS\SYSTEM\crro32.exe
    Adware:Adware/Startpage.VQ
    No disinfected C:\WINDOWS\coujwl.txt
    Adware:Adware/SearchAid
    No disinfected C:\ms32.tmp
     
  2. jp.in.vt

    jp.in.vt Thread Starter

    Joined:
    Sep 30, 2005
    Messages:
    8
  3. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    77,816
    First Name:
    Frank
    Your computer definitely has some problems. :(

    ----------------------------------------------------------------

    Go to the "Spyware Tools" section at www.majorgeeks.com and download and install

    Ad-Aware SE Personal 1.06

    Spybot - Search & Destroy 1.4


    After they're installed, run their update function and install whatever updates are available for them. After they've been updated, run a full system scan with Ad-Aware. When the scan is finished, select and fix everything that it finds. Run a scan with Spybot. When the scan is finished, select and fix everything in red that it finds.

    Reboot your computer afterwards, run another scan with HijackThis, then post the new log here.

    ----------------------------------------------------------------
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi Frank,
    I've subscribed to this thread as that's a nasty CWS infection.

    I'll wait to see a new Hijack log before posting instructions. (y)
     
  5. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    77,816
    First Name:
    Frank
    CheeseBall:

    Thanks for jumping in. I wanted a scan with Ad-Aware and Spybot to be done first before suggesting any fixing to the log.

    These 3 entries:

    O2 - BHO: Class - {F0E44A95-C75A-FBD2-EDFA-0D6EDD539C09} - C:\WINDOWS\SYSTEM\SYSTH.DLL

    O4 - HKLM\..\Run: [APIUH.EXE] C:\WINDOWS\APIUH.EXE

    O4 - HKLM\..\RunServices: [CRRO32.EXE] C:\WINDOWS\SYSTEM\CRRO32.EXE /s


    look suspicious to me. The BHO entry indicates a CoolWebSearch variant.

    ----------------------------------------------------------------
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    No problem :)

    Yes, it's CoolWebSearch. A new log is the next best thing, as in such cases as this - when you restart the computer, the infected filenames will change.
     
  7. jp.in.vt

    jp.in.vt Thread Starter

    Joined:
    Sep 30, 2005
    Messages:
    8
    ok I did all three things just now, Ad-Aware 1.06 and delete, the SpyBot and delete all red thing (25 total, 17 were coolwwwsearch)
    the Ad-Aware file was pretty large too.
    And now hijack this with results posted below:
    Logfile of HijackThis v1.99.1
    Scan saved at 4:08:27 PM, on 10/3/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\CRRO32.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\WPSIOMON.EXE
    C:\WINDOWS\SYSTEM\WPSCHIFX.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\TP98TRAY.EXE
    C:\WINDOWS\SYSTEM\OCBTRAY.EXE
    C:\WINDOWS\APIUH.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PILOT\HOTSYNC.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcqrd.dll/sp.html#93256
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\WPSIOMON
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {F0E44A95-C75A-FBD2-EDFA-0D6EDD539C09} - C:\WINDOWS\SYSTEM\SYSTH.DLL
    O2 - BHO: Class - {2341B6B9-E486-B1AF-52DC-D05B8550CE4F} - C:\WINDOWS\IPKO32.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\THINKPAD\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
    O4 - HKLM\..\Run: [APIUH.EXE] C:\WINDOWS\APIUH.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [CRRO32.EXE] C:\WINDOWS\SYSTEM\CRRO32.EXE /s
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: HotSync Manager.lnk = C:\pilot\HOTSYNC.EXE
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

    let me know what to do next. THANKS!
    jp
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    First copy the contents of the quote box to Notepad. Go to File - Save As and name it Fix.reg (save as type: “all files” )

    You will need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:

    Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
    Save it to your desktop.
    DO NOT run it yet.

    Click here: http://cwshredder.net/bin/CWSInstall.exe to download CWSinstall.exe to the desktop.

    Click: http://www.majorgeeks.com/AboutBuster_d4289.html to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Now go ahead and set your computer to show hidden files like so:

    Open My Computer.
    Select the View menu and click Folder Options.
    Select the View Tab.
    In the Hidden files section select Show all files.
    Click OK.

    After you have downloaded all the above tools, sign off the Internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now, boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

    Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have its contents added to the registry.

    Run Hijack This and put a check by these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcqrd.dll/sp.html#93256

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {F0E44A95-C75A-FBD2-EDFA-0D6EDD539C09} - C:\WINDOWS\SYSTEM\SYSTH.DLL

    O2 - BHO: Class - {2341B6B9-E486-B1AF-52DC-D05B8550CE4F} - C:\WINDOWS\IPKO32.DLL

    O4 - HKLM\..\Run: [APIUH.EXE] C:\WINDOWS\APIUH.EXE

    O4 - HKLM\..\RunServices: [CRRO32.EXE] C:\WINDOWS\SYSTEM\CRRO32.EXE /s


    Once you’ve checked all of the above entries, click the "Fix Checked" button.

    Exit Hijack This.

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\rcqrd.dll

    C:\WINDOWS\SYSTEM\SYSTH.DLL

    C:\WINDOWS\IPKO32.DLL

    C:\WINDOWS\APIUH.EXE

    C:\WINDOWS\SYSTEM\CRRO32.EXE


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure not to miss any.

    Exit the Killbox.

    Next run Aboutbuster. Double click Aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do its thing.

    Now, restart back into Windows normally and do the following:

    Go here and do an online virus scan: http://housecall.trendmicro.com/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from here:
    www.funkytoad.com/download/hoster.zip
    Run Hoster and press Restore Original Hosts, OK, and Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here: http://www.spywareinfo.com/~merijn/winfiles.html
    Download SDHelper.dll
    Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    The file "Control.exe" may have been deleted.
    See if control.exe is present in C:\windows

    If Control.exe isn't there, go here: http://www.richardthelionhearted.com/~merijn/winfiles.html#control
    Download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here: http://www.jfitz.com/tips/ie_security_config.html

    Reboot and post another HijackThis log please.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    110,629
    Sorry, wrong thread. :rolleyes:
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    *giggles* :)
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    110,629
    ***SMACK*** :D
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    :eek: :eek:
     
  13. jp.in.vt

    jp.in.vt Thread Starter

    Joined:
    Sep 30, 2005
    Messages:
    8
    I couldn't get CWS to install/run -- "oleacc.dll was not found"
    and
    I couldn't get AboutBuster to run - "invalid procedure call or argument runtime error '5'

    so Should I continue? I still have to do the rest:


    Go here and do an online virus scan: http://housecall.trendmicro.com/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from here:
    www.funkytoad.com/download/hoster.zip
    Run Hoster and press Restore Original Hosts, OK, and Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here: http://www.spywareinfo.com/~merijn/winfiles.html
    Download SDHelper.dll
    Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    The file "Control.exe" may have been deleted.
    See if control.exe is present in C:\windows

    If Control.exe isn't there, go here: http://www.richardthelionhearted.co...es.html#control
    Download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here: http://www.jfitz.com/tips/ie_security_config.html

    Reboot and post another HijackThis log please.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    110,629
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Thanks Cookie :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/403450

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice