1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Bad actors in here

Discussion in 'Virus & Other Malware Removal' started by slmerrill, Sep 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. slmerrill

    slmerrill Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    13
    Help! Browser is jacked and other weirdness going on.

    I've run AdAware, Spybot, CWShredder and Trendmicro's housecall virus scanner to clear up some items.

    Big thanks in advance for any help!!

    Here's my HJT log:

    Logfile of HijackThis v1.98.2
    Scan saved at 2:11:18 PM, on 9/22/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\CPQDMI.EXE
    C:\WINDOWS\CPQALERT.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\DMI95\WIN32\BIN\WIN32SL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\MGACTRL.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\COMSMD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\QDESK\MGAQDESK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\GOXOY.EXE
    C:\WINDOWS\SYSTEM\GOXOY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\TECH SUPPORT\HIJACK THIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {374F3A4F-C4BD-45F8-B47D-32CC5ACA3716} - C:\WINDOWS\SYSTEM\BBI.DLL (file missing)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Jtbn.exe] C:\WINDOWS\TEMP\JTBN.EXE
    O4 - HKLM\..\Run: [2XTTJ#25SJH54N] C:\WINDOWS\SYSTEM\Oval63H.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [D1TNMMJDB.EXE] C:\WINDOWS\TEMP\D1TNMMJDB.EXE
    O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE /remove
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKLM\..\Run: [q78P36Q] NWI6GT.EXE
    O4 - HKLM\..\Run: [qsjkft] C:\WINDOWS\SYSTEM\kmqhod.exe
    O4 - HKLM\..\RunServices: [CPQDMI] CPQDMI.EXE
    O4 - HKLM\..\RunServices: [CPQALERT] CPQAlert.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
    O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Startup: printer.bat
    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = overlakeoil.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.60.253.132,204.134.214.10
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Go to here and download the fix:
    http://downloads.subratam.org/PeperFix.exe

    When you run the uninstaller, you MUST have an internet connection active for it to work.

    To use it:
    Start PeperFix.exe.
    Click Find and Fix button.
    It will ask you to restart computer, accept that.
    After rebooting run PeperFix.exe again and let it fix again.

    This Peper removal tool only works if run twice. To complete each stage of the Peper removal you need to REBOOT to clear the peper infection each time you run the tool, or the infection will remain.

    Go to Add / Remove Programs
    WinTools <--Remove

    Now run CWshredder, Ad-Aware, SpyBot and another Trendmicro's housecall virus scanner.

    Reboot.
    Scan with HijackThis and post a new log
     
  3. slmerrill

    slmerrill Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    13
    Okay. I think we're making some progress. Still have hijacked browser, though. Couldn't find WinTools under Add/Remove Programs. Win-Tools Easy Installer is there and I get an error when I try to remove it.

    I really appreciate the help...You guys are great!

    Here's the latest HJT Log:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:16:04 AM, on 9/23/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\CPQDMI.EXE
    C:\WINDOWS\CPQALERT.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\DMI95\WIN32\BIN\WIN32SL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\MGACTRL.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\COMSMD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\QDESK\MGAQDESK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\TECH SUPPORT\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {374F3A4F-C4BD-45F8-B47D-32CC5ACA3716} - C:\WINDOWS\SYSTEM\BBI.DLL (file missing)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Jtbn.exe] C:\WINDOWS\TEMP\JTBN.EXE
    O4 - HKLM\..\Run: [2XTTJ#25SJH54N] C:\WINDOWS\SYSTEM\Pah53p.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [D1TNMMJDB.EXE] C:\WINDOWS\TEMP\D1TNMMJDB.EXE
    O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE /remove
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKLM\..\Run: [q78P36Q] NWI6GT.EXE
    O4 - HKLM\..\Run: [qsjkft] C:\WINDOWS\SYSTEM\kmqhod.exe
    O4 - HKLM\..\RunServices: [CPQDMI] CPQDMI.EXE
    O4 - HKLM\..\RunServices: [CPQALERT] CPQAlert.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
    O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Startup: printer.bat
    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW. Prefix: http://
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = overlakeoil.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.60.253.132,204.134.214.10
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O2 - BHO: (no name) - {374F3A4F-C4BD-45F8-B47D-32CC5ACA3716} - C:\WINDOWS\SYSTEM\BBI.DLL (file missing)

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL

    O4 - HKLM\..\Run: [Jtbn.exe] C:\WINDOWS\TEMP\JTBN.EXE

    O4 - HKLM\..\Run: [2XTTJ#25SJH54N] C:\WINDOWS\SYSTEM\Pah53p.exe

    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

    O4 - HKLM\..\Run: [D1TNMMJDB.EXE] C:\WINDOWS\TEMP\D1TNMMJDB.EXE

    O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe

    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE /remove

    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

    O4 - HKLM\..\Run: [q78P36Q] NWI6GT.EXE

    O4 - HKLM\..\Run: [qsjkft] C:\WINDOWS\SYSTEM\kmqhod.exe

    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)

    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file)

    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)

    O9 - Extra button: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)

    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {12C44D13-A798-4667-88D7-A281B748E998} - (no file) (HKCU)

    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW. Prefix: http://
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\SYSTEM\remove_me.dll
    C:\WINDOWS\SYSTEM\DP-HIM.EXE
    NWI6GT.EXE


    Delete these folders:

    C:\spe
    C:\Program Files\ToPicks
    C:\Program Files\VBOUNCER

    There may be another copy of the remove_me.dll file in a temp folder so do a file search for it and delete it wherever found.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  5. slmerrill

    slmerrill Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    13
    I think we've nailed it! You guys are awesome.

    Thanks soo much!
     
  6. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Scan and post a new HijackThis log please.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276954

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice