1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help cannot get rid of about:blank

Discussion in 'Virus & Other Malware Removal' started by cgisharon, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
    Please help!
    I've tried Adaware, CWshredder,Spysubtract, etc. and cannot get rid of this vermin. Below is my hijackthis log file. Any help is greatly appreciated. :confused:

    Logfile of HijackThis v1.99.0
    Scan saved at 4:08:02 PM, on 2/15/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\crto32.exe
    C:\WINDOWS\System32\tibs5.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\addqv.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kaye\Desktop\temp\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {E7C0C490-197B-0CFC-C47F-A5FF86D1B072} - C:\WINDOWS\system32\msvd.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [crto32.exe] C:\WINDOWS\crto32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: http://us.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: *.amaduesproweb.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: http://mucfrt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://mucpdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://ncepdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://support.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: http://trnmatrix.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: *.amadeuscruise.com (HKLM)
    O15 - Trusted Zone: *.amadeusvista.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O16 - DPF: TAWClients - http://vcc.promero.com/taw/TAWClients.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} (BBWebGDS.GDSInterface) - http://www.travelguard.com/gds/BBWebGDS.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://us.amadeuscruise.com/common/cabs/SP2Patch.CAB
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} (First American File Control) - http://www.leadstoloans.com/activex/fafile.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} (First American Print Control) - http://www.leadstoloans.com/activex/faprint.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} (First American Grid Control) - http://www.leadstoloans.com/activex/fagrid.dll
    O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go10d.wspan.com/Secure/DLLs/SCMDIRCTL.CAB
    O16 - DPF: {616A44A9-5D02-445B-B16E-5C6E4A0C2AA6} (PDFPrinter Class) - http://www.mortgagecreditlink.com/download/eprintin.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go13f.wspan.com/Secure/DLLs/WSCombo.CAB
    O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go13f.wspan.com/Secure/DLLs/WSEMUL3.CAB
    O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go10d.wspan.com/secure/DLLs/WSPrint3.CAB
    O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go13f.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go13f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10d.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go13f.wspan.com/Secure/DLLs/WSCustInst.CAB
    O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
    O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go10d.wspan.com/Secure/DLLs/WSSCM2.CAB
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go13f.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E922EBC9-50D4-4B53-B454-73376453E98D} (LOSActiveX.MainForm) - https://www.xpertonline.net/LosActiveX/LOSActiveX.CAB
    O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go10d.wspan.com/secure/DLLs/WSFileIO.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go13f.wspan.com/Secure/DLLs/WSSCM1.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A854F74-A387-4516-A639-7AD4FF072FC1}: NameServer = 151.164.11.201 151.164.30.104
    O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addqv.exe
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I need to ask you if any of the items you have in the Trusted Zone are ones you put there yourself, I see some that are a problem....but, are there any that you use and that are there for a reason, such as the amadeus items?

    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: http://us.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: *.amaduesproweb.com
    Or, did they just get there without your say so?

    By the way, there is time for me tonite to get a fix posted, if you have time, let me know. If not, see you whenever, I should be around in the morning about 9 EST US.
     
  3. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
    Thank you for your reply. I sell travel so the Amadeus items are need for work.

    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: http://us.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: *.amaduesproweb.com

    Please advise what I should do!
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You will need to know how to boot to Safe Mode>
    Don't do it just yet, it's for later.

    EDIT!> The about:blank hijack may change filenames if you shut down and restart, but that is OK, I can send in a new fix tomorrow if you want to wait, I know it's getting a bit late....I have time tonite if you want to tackle this now!

    When you restart the computer, tap the F8 key quickly, several times, just as you see any text on screen...eventually the startup menu will come up> select Safe Mode (only) with your arrow key, and then press Enter key once....and give it plenty of time to get to the desktop, loading Safe Mode takes longer but it will get there.

    NEXT: These posts and the Internet will NOT be available to you,(( if you follow instructions and use Safe Mode, anyway--and you do want to, as the fix will NOT work any other way!)) So, you need to either print them out, each time, or, you can simply copy and paste them to a Notepad text file and save it to your desktop to have in Safe Mode.
    ________________

    Now, download these things:

    http://forums.techguy.org/attachment.php?attachmentid=44318

    ((EDIT> new, working link for the above file!))

    download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later.
    _______

    http://downloads.subratam.org/CWShredder.exe

    download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later
    ___________________

    http://www.downloads.subratam.org/AboutBuster.zip

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
    __________

    Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
    __________

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
    _______


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Remote Procedure Call (RPC) Helper.
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

    ______

    Restart to Safe Mode and Do the next steps in Safe Mode.

    _________
    Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.
    ____________

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Put a check by these entries in Hijack This and click the "Fix Checked" button:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zogta.dll/sp.html#28129
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {E7C0C490-197B-0CFC-C47F-A5FF86D1B072} - C:\WINDOWS\system32\msvd.dll
    O4 - HKLM\..\Run: [crto32.exe] C:\WINDOWS\crto32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe


    Now, navigate TO the folders in Windows Explorer, holding the files listed, those at the ends of lines, and delete the FILES:


    C:\WINDOWS\System32\tibs5.exe <files at ends

    C:\WINDOWS\addqv.exe


    C:\WINDOWS\system32\msvd.dll

    C:\WINDOWS\crto32.exe
    ____________________
    Next: Still in Safe Mode>

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK
    _____________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _______

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
    __________

    Boot back into Windows now.


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.



    Go here and do an online virus scan:

    http://housecall.antivirus.com/housecall/start_corp.asp

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from:

    http://members.aol.com/toadbee/hoster.zip

    UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
    __________
    If you have Spybot S&D installed you will also need to replace one file.
    Go to: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper

    and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go here:

    http://www.spywareinfo.com/~merijn/winfiles.html

    , and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE > Open the Tools tab, then Internet Options, and then Advanced> then hit the "Restore Defaults" button and OK.

    Next., Post a new Hijackthis log, after you have completed all the above. Running AdAware and/or Spybot is not needed right now. Since you have some other malware, there will be more to do....which involves removing some of the bad items in Trusted Sites, you can reload the ones you need, so copy down the exact way you have the good Amadeus ones now, in case we do lose any...the manual method may remove the bad ones, and then again we may have to use a tool that removes ALL entries in Trusted Sites...that may not happen anyway, I don't know just yet!
     
  5. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
  6. rainforest123

    rainforest123

    Joined:
    Dec 28, 2004
    Messages:
    8,256
    I don't receive the error message you note, when I go to the http://. . .38111 link, but I don't receive an option to download anything. My browser displays Http://forums.techguy.org

    Perhaps the link is broken.

    I'm sure Byteman has an alternative.

    B123
     
  7. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
    Byteman,

    I found an alternate link for the download and followed all your instructions. Finally I'm back to my original homepage and no more pop-ups so far!

    This is my log file after following your instructions. Please let me know what to do to complete the cleaning of "all parasites" you located.

    Thank you!

    Logfile of HijackThis v1.99.0
    Scan saved at 1:36:57 AM, on 2/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Documents and Settings\Kaye\Desktop\temp\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: http://us.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: *.amaduesproweb.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: http://mucfrt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://mucpdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://ncepdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://support.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: http://trnmatrix.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: *.amadeuscruise.com (HKLM)
    O15 - Trusted Zone: *.amadeusvista.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O16 - DPF: TAWClients - http://vcc.promero.com/taw/TAWClients.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} (BBWebGDS.GDSInterface) - http://www.travelguard.com/gds/BBWebGDS.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://us.amadeuscruise.com/common/cabs/SP2Patch.CAB
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} (First American File Control) - http://www.leadstoloans.com/activex/fafile.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} (First American Print Control) - http://www.leadstoloans.com/activex/faprint.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} (First American Grid Control) - http://www.leadstoloans.com/activex/fagrid.dll
    O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go10d.wspan.com/Secure/DLLs/SCMDIRCTL.CAB
    O16 - DPF: {616A44A9-5D02-445B-B16E-5C6E4A0C2AA6} (PDFPrinter Class) - http://www.mortgagecreditlink.com/download/eprintin.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go13f.wspan.com/Secure/DLLs/WSCombo.CAB
    O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go13f.wspan.com/Secure/DLLs/WSEMUL3.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go10d.wspan.com/secure/DLLs/WSPrint3.CAB
    O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go13f.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go13f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10d.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go13f.wspan.com/Secure/DLLs/WSCustInst.CAB
    O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
    O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go10d.wspan.com/Secure/DLLs/WSSCM2.CAB
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go13f.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E922EBC9-50D4-4B53-B454-73376453E98D} (LOSActiveX.MainForm) - https://www.xpertonline.net/LosActiveX/LOSActiveX.CAB
    O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go10d.wspan.com/secure/DLLs/WSFileIO.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go13f.wspan.com/Secure/DLLs/WSSCM1.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A854F74-A387-4516-A639-7AD4FF072FC1}: NameServer = 151.164.11.201 151.164.30.104
    O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
     
  8. rainforest123

    rainforest123

    Joined:
    Dec 28, 2004
    Messages:
    8,256
    Congratulations on the progress.

    What link did you use to download the file?



    B123
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry you had trouble with the link for that file...

    I have editied my earlier link, and put a good one there, but here it is again, for anyone that needs it>

    http://forums.techguy.org/attachment.php?attachmentid=44318

    Let's continue getting things fixed>

    Will try to remove just the bad Trusted Sites, so that your good items do not disappear, but you should get them saved, written down as I posted earlier in case they just come back...

    Download> DelDomains: But doNOT run it!!!!!!!

    http://www.mvps.org/winhelp2002/DelDomains.inf

    The above file is just to have handy...using it will remove ALL items in your Trusted Sites!!! So, just keep it handy for now, we may not need it.

    Run Hijackthis, CLOSE ALL OTHER WINDOWS/BROWSWERS while you are fixing things with Hijackthis!!!!

    Put checks next to each of these items, then click "Fix checked":

    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)

    Do you use/have to have this item? If it is part of your work, keep it.

    O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtCli...PtClickLoan.cab

    Restart the computer, and again scan with AdAware, SpyBot, first checking for any updates to their detection files> restart between scans. Post a new log! Good work, by the way getting the needed download as you did.
    Sorry I wasn't able to be here as early as planned, but work came along...I will be here the rest of the day/evening now, unless I get a call.
     
  10. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
    This is my log after following your last notes. Thanks!

    Logfile of HijackThis v1.99.0
    Scan saved at 6:27:47 PM, on 2/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Kaye\Desktop\temp\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.agentnet.com
    O15 - Trusted Zone: http://us.amadeuscruise.com
    O15 - Trusted Zone: *.amadeusvista.com
    O15 - Trusted Zone: *.amaduesproweb.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: http://mucfrt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://mucpdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://ncepdt.webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://webconfig.amadeus.com (HKLM)
    O15 - Trusted Zone: http://support.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: http://trnmatrix.pro.amadeus.net (HKLM)
    O15 - Trusted Zone: *.amadeuscruise.com (HKLM)
    O15 - Trusted Zone: *.amadeusvista.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} (BBWebGDS.GDSInterface) - http://www.travelguard.com/gds/BBWebGDS.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://us.amadeuscruise.com/common/cabs/SP2Patch.CAB
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} (First American File Control) - http://www.leadstoloans.com/activex/fafile.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} (First American Print Control) - http://www.leadstoloans.com/activex/faprint.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} (First American Grid Control) - http://www.leadstoloans.com/activex/fagrid.dll
    O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go10d.wspan.com/Secure/DLLs/SCMDIRCTL.CAB
    O16 - DPF: {616A44A9-5D02-445B-B16E-5C6E4A0C2AA6} (PDFPrinter Class) - http://www.mortgagecreditlink.com/download/eprintin.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go13f.wspan.com/Secure/DLLs/WSCombo.CAB
    O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go13f.wspan.com/Secure/DLLs/WSEMUL3.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go10d.wspan.com/secure/DLLs/WSPrint3.CAB
    O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go13f.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go13f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10d.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go13f.wspan.com/Secure/DLLs/WSCustInst.CAB
    O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
    O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go10d.wspan.com/Secure/DLLs/WSSCM2.CAB
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go13f.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E922EBC9-50D4-4B53-B454-73376453E98D} (LOSActiveX.MainForm) - https://www.xpertonline.net/LosActiveX/LOSActiveX.CAB
    O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go10d.wspan.com/secure/DLLs/WSFileIO.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go13f.wspan.com/Secure/DLLs/WSSCM1.CAB
    O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
     
  11. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi,
    In Control Panel>Add/Remove Programs, if you find PeopleonPage, uninstall that please....



    Looks like we need the DelDomains file you downloaded before, sorry but there seems to be no other way to remove the bad Trusted Sites entries, as I told you using the remover tool will also remove your good Trusted Sites entries, so you will have to reenter those manually...

    I guess you did this before, do you remember how to?


    Next: some things to fix with Hijackthis:

    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe



    In Windows Explorer once again, find and delete the file>

    C:\Program Files\Automatic Update\AutoUpdate.exe <file

    And, then the folder> C:\Program Files\Automatic Update


    Now, right click DelDomains.inf and select "Install"



    Restart the computer.

    You can scan again with AdAware etc. Post new log.
     
  12. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
    Byteman,

    Please take a look this is my latest log after applying fix you recommended.

    Thanks!



    Logfile of HijackThis v1.99.0
    Scan saved at 9:34:36 PM, on 2/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Documents and Settings\Kaye\Desktop\temp\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Kaye\Application Data\Mozilla\Profiles\default\hjlamak1.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {0B541685-ACB8-48C2-8556-D56CE15EA800} (BBWebGDS.GDSInterface) - http://www.travelguard.com/gds/BBWebGDS.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://us.amadeuscruise.com/common/cabs/SP2Patch.CAB
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {469C92F9-CA8E-4C3E-9AD4-F74EEF097BCA} (Amadeus DS Diagnostic Class) - http://webconfig.amadeus.com/diagnostic/cabs/DS_Diagnostic.cab
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} (First American File Control) - http://www.leadstoloans.com/activex/fafile.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} (First American Print Control) - http://www.leadstoloans.com/activex/faprint.dll
    O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} (First American Grid Control) - http://www.leadstoloans.com/activex/fagrid.dll
    O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go10d.wspan.com/Secure/DLLs/SCMDIRCTL.CAB
    O16 - DPF: {616A44A9-5D02-445B-B16E-5C6E4A0C2AA6} (PDFPrinter Class) - http://www.mortgagecreditlink.com/download/eprintin.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go13f.wspan.com/Secure/DLLs/WSCombo.CAB
    O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go13f.wspan.com/Secure/DLLs/WSEMUL3.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go10d.wspan.com/secure/DLLs/WSPrint3.CAB
    O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go13f.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go13f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10d.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go13f.wspan.com/Secure/DLLs/WSCustInst.CAB
    O16 - DPF: {BC57DAFD-FB14-11D6-BF35-00E09876DF26} (WebTrainConference.WTConference) - http://www.webtrain.com/websay/cabs/WTConference.CAB
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com/cp/install/Crusher.cab
    O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go10d.wspan.com/Secure/DLLs/WSSCM2.CAB
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go13f.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/latest/support/ieatgpc.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E922EBC9-50D4-4B53-B454-73376453E98D} (LOSActiveX.MainForm) - https://www.xpertonline.net/LosActiveX/LOSActiveX.CAB
    O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go10d.wspan.com/secure/DLLs/WSFileIO.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go13f.wspan.com/Secure/DLLs/WSSCM1.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A854F74-A387-4516-A639-7AD4FF072FC1}: NameServer = 151.164.11.201 151.164.30.104
    O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Looks like you got it that time!

    Try things for a while, maybe tomorrow you can mark the thread solved if nothing returns.
     
  14. rainforest123

    rainforest123

    Joined:
    Dec 28, 2004
    Messages:
    8,256
    Again, I ask. From what source did you download the file?

    Again, I clicked on the link. It took me, this time, to http://forums.techguy.org

    B123
     
  15. cgisharon

    cgisharon Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    43
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330993

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice