(Solved) ecpm passthrough

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

vegmanpa

Thread Starter
Joined
Sep 14, 2003
Messages
4
Hi... I hope you can help me fix this annoying problem. I keep getting my homepage overridden with this ECPM PASSTHOUGH whenever I go into Internet Explorer. My sessions invariably lock up and I have to reboot. I ran HIJACKTHIS and deleted the obvious entries but I still have the problem. Here is a copy of my HIJACKTHIS log.... Thanks.....

Logfile of HijackThis v1.97.2
Scan saved at 12:57:30 PM, on 9/14/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\ORNUM\AORNUM1\3.BIN\AORNUM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\NCASE\MSBB.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
O1 - Hosts: 216.194.90.249 auto.search.msn.com
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\HOST.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Aornum1] C:\Program Files\Ornum\Aornum1\3.bin\Aornum.exe
O4 - HKLM\..\Run: [XNSearchAssistant] C:\Program Files\iWon\Search Assistant\SrchAsst.exe
O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [nvloqahg] C:\WINDOWS\SYSTEM\nvloqahg.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [booeaz] C:\WINDOWS\APPLIC~1\thtssglg.exe -QuieT
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [OFV] C:\WINDOWS\OFV.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
 
Joined
Jun 19, 2003
Messages
1,241
Hi vegmanpa, and welcome to TSG.. :)

Please download and run "Coolwebshredder" from http://www.mnsi.net/~jhlavac/security/privacy.htm first. (Second in the list)

Then, please reboot and download and run "RBKiller", from http://www.wilderssecurity.net/specialinfo/rapidblaster.html and run that also.

Then could you please reboot again and run a new HJT! log. Please "Check to fix" the following entries, then close all browser windows and click Fix.

You may find that some have already gone, following the use of the above programs, don't worry about it. (y) :)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe

O1 - Hosts: 216.194.90.249 auto.search.msn.com

O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\HOST.DLL

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL

O4 - HKLM\..\Run: [Aornum1] C:\Program Files\Ornum\Aornum1\3.bin\Aornum.exe

O4 - HKLM\..\Run: [XNSearchAssistant] C:\Program Files\iWon\Search Assistant\SrchAsst.exe

O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

O4 - HKLM\..\Run: [nvloqahg] C:\WINDOWS\SYSTEM\nvloqahg.exe

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe

O4 - HKLM\..\Run: [booeaz] C:\WINDOWS\APPLIC~1\thtssglg.exe -QuieT

O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE

O4 - HKLM\..\Run: [OFV] C:\WINDOWS\OFV.exe

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp


Then reboot into safe mode, (see here for info on how to do this), and delete the following bolded files/folders.

C:\PROGRAM FILES\CLEARSEARCH
C:\PROGRAM FILES\SRNG
C:\Program Files\ClockSync
C:\Program Files\ISTsvc
C:\PROGRAM FILES\IWON
C:\Program Files\Ornum

Then if you could boot back into normal mode and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

If you could then reboot (again.. :) although tedious, it is imperative that you reboot between each stage) and post a new HJT! log, for a final once over.

Cheers

Liam
 

vegmanpa

Thread Starter
Joined
Sep 14, 2003
Messages
4
Thanks Liam for the help and the quick response! Everything worked fine (except Coolwebshredder gave me a pop-up with and "unexpected error" msg when I tried to execute it...it didn't matter though because I got rid of everything else using HJT).... My system seems to be running normally again....

Thanks again... You saved me from a lot of additional frustration!

Dave
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top