1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

(Solved) ecpm passthrough

Discussion in 'Web & Email' started by vegmanpa, Sep 14, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. vegmanpa

    vegmanpa Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    4
    Hi... I hope you can help me fix this annoying problem. I keep getting my homepage overridden with this ECPM PASSTHOUGH whenever I go into Internet Explorer. My sessions invariably lock up and I have to reboot. I ran HIJACKTHIS and deleted the obvious entries but I still have the problem. Here is a copy of my HIJACKTHIS log.... Thanks.....

    Logfile of HijackThis v1.97.2
    Scan saved at 12:57:30 PM, on 9/14/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\ORNUM\AORNUM1\3.BIN\AORNUM.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\SAVE\SAVE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\PROGRAM FILES\NCASE\MSBB.EXE
    C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
    O1 - Hosts: 216.194.90.249 auto.search.msn.com
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\HOST.DLL
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [Aornum1] C:\Program Files\Ornum\Aornum1\3.bin\Aornum.exe
    O4 - HKLM\..\Run: [XNSearchAssistant] C:\Program Files\iWon\Search Assistant\SrchAsst.exe
    O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [nvloqahg] C:\WINDOWS\SYSTEM\nvloqahg.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [booeaz] C:\WINDOWS\APPLIC~1\thtssglg.exe -QuieT
    O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
    O4 - HKLM\..\Run: [OFV] C:\WINDOWS\OFV.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Hi vegmanpa, and welcome to TSG.. :)

    Please download and run "Coolwebshredder" from http://www.mnsi.net/~jhlavac/security/privacy.htm first. (Second in the list)

    Then, please reboot and download and run "RBKiller", from http://www.wilderssecurity.net/specialinfo/rapidblaster.html and run that also.

    Then could you please reboot again and run a new HJT! log. Please "Check to fix" the following entries, then close all browser windows and click Fix.

    You may find that some have already gone, following the use of the above programs, don't worry about it. (y) :)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/

    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe

    O1 - Hosts: 216.194.90.249 auto.search.msn.com

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL

    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\HOST.DLL

    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL

    O4 - HKLM\..\Run: [Aornum1] C:\Program Files\Ornum\Aornum1\3.bin\Aornum.exe

    O4 - HKLM\..\Run: [XNSearchAssistant] C:\Program Files\iWon\Search Assistant\SrchAsst.exe

    O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

    O4 - HKLM\..\Run: [nvloqahg] C:\WINDOWS\SYSTEM\nvloqahg.exe

    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe

    O4 - HKLM\..\Run: [booeaz] C:\WINDOWS\APPLIC~1\thtssglg.exe -QuieT

    O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE

    O4 - HKLM\..\Run: [OFV] C:\WINDOWS\OFV.exe

    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q

    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

    O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp


    Then reboot into safe mode, (see here for info on how to do this), and delete the following bolded files/folders.

    C:\PROGRAM FILES\CLEARSEARCH
    C:\PROGRAM FILES\SRNG
    C:\Program Files\ClockSync
    C:\Program Files\ISTsvc
    C:\PROGRAM FILES\IWON
    C:\Program Files\Ornum

    Then if you could boot back into normal mode and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

    Now press Settings, and Settings again.
    Go to the Webupdate section, and check "Display also available beta versions".

    Now press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

    If you could then reboot (again.. :) although tedious, it is imperative that you reboot between each stage) and post a new HJT! log, for a final once over.

    Cheers

    Liam
     
  3. vegmanpa

    vegmanpa Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    4
    Thanks Liam for the help and the quick response! Everything worked fine (except Coolwebshredder gave me a pop-up with and "unexpected error" msg when I tried to execute it...it didn't matter though because I got rid of everything else using HJT).... My system seems to be running normally again....

    Thanks again... You saved me from a lot of additional frustration!

    Dave
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Your welcome Dave, :) (y)

    I'll get this marked up as resolved.

    Cheers

    Liam
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164746

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice