1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Wish I knew

Discussion in 'Virus & Other Malware Removal' started by rey910, Mar 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. rey910

    rey910 Thread Starter

    Joined:
    Aug 6, 2001
    Messages:
    47
    ok tell me this-- how does one aquire 40 cookies and 10 offline files when all they opened without doing anything else is yahoo messenger

    when i go to start/run/type in msconfig/hit enter/go to startup--this is some of the things that i seem to have running----

    explorer, Ccapp Iexplore Bttray, Icqnet Loadqm Iexplore Rfagent Khooker Systray Mwsoemon Iexplore Rnaapp

    as noted----iexplore is there 3 times and when i try to delete and reinstall it---it will not let me---

    any suggestions as to what or how i can fix this? :confused:

    i have windows98
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I would say those things are normal

    But> do an online antivirus scan to be sure.

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    And:

    http://housecall.antivirus.com/housecall/start_corp.asp


    Panda scan will let you save a Report of things found when you finish--- if any files are found infected, save the activescan.txt and copy/paste the contents of it to your next reply.

    Housecall scan: Be sure you use the AUTOCLEAN box checked.

    Record anything it finds as you will need to know the filenames, locations on your hard drive, etc.

    Also post a Hijackthis log so we can possibly see quickly what the problem may be:

    Download the file to your desktop and run hijackthis.exe, use the Scan and Save a Log button, save the log as hijackthis.txt and copy and paste the contents of it into a reply here in the thread. Do NOT use hijackthis yourself, most of what it shows is needed by your computer!!!
     
  3. rey910

    rey910 Thread Starter

    Joined:
    Aug 6, 2001
    Messages:
    47
    Byteman.
    Thanks for replying so fast and i will do those 3 things you have suggested and post them here. But, since my last visit to this forum and now----I think we unleashed a monster that many were unaware of!!!! lol I truly did not expect so many readers to read my post and then have all these questions attributed to your mention of a HiJackThis Log. Again thank you for the advice and when I get copies of those files---will post them.
     
  4. rey910

    rey910 Thread Starter

    Joined:
    Aug 6, 2001
    Messages:
    47
    Byteman,
    Sorry for taking so long---here is the hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:53:53 PM, on 3/28/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\Denise\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ls0.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home Network Version 1.7
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 3466709097 auto.search.msn.com
    O1 - Hosts: 3466709097 sitefinder.verisign.com
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O1 - Hosts: 3466709097 www.your.com
    O1 - Hosts: 3466709097 your.com
    O1 - Hosts: 3466690378 ad.doubleclick.net
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINNT\System32\sfg_4811.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
    O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\system32\StopzillaBH0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_4811.dll"
    O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_4811.dll"
    O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe" /s
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: @Home - {686CADC7-06B8-45F8-B0CC-D5F4D09B0B89} - http://www/ (file missing) (HKCU)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    Hope you see something that might be causing a problem.
    Thanks for your time and help.
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi rey910, I would like to see a new Hijackthis log please, and will try to help with this.
     
  6. rey910

    rey910 Thread Starter

    Joined:
    Aug 6, 2001
    Messages:
    47
    sorry byteman
    guess i should have given you more to this---i cann't get ie6 to open or even repair---i tried deleting it but it says cann't find file---so i am using netscape at the moment---here is what has been done so far---sorry for being so long in answering---i am using 2 computers and i have to transfer from one to the other in order to reply at this time.

    1st computer----windows 98--works just fine
    2nd computer windows 2000--this one having the probs with

    ok.. in add/remove there is no file that says IE...it must be joined with something like my office package or somthing
    when i click on the blue E... or use any manner to get to IE .. it says... there has been an error and would i like to send a report... i unclick the send report and close the window with the X

    when i try to install IE again ... I cant because the IE window wants to open and it cant


    if i try to download and/or repair ie6 .. it cant .. cause it wants to open the IE browser .. and it cant



    couldnt do the last step.... kept saying
    that Netscape could not read the file also the
    hijackthis file wont open now.. dang what a mess...
    but I did the rest ... let me know what to do next...
    IE still not working.. thanks bunches..

    ..
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,
    Uninstall from Add/Remove Programs>

    SpywareCop

    PCShield, SafeGuard anything...

    These utilities will fit on floppy diskettes:

    Hoster.zip

    Download the Hoster from here http://members.aol.com/toadbee/hoster.zip
    . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


    CWShredder.exe

    http://www.majorgeeks.com/download3019.html

    AboutBuster
    http://www.majorgeeks.com/download4289.html

    Copy and paste these directions to a Notepad text file and save it on your desktop as Help1.txt or something, or you can print out the text here...

    AboutBuster is in .zip form so you will have to unzip it to the desktop. Just leave it alone for now, we will run it later.

    Boot to Safe Mode> Tap the F8 key when you restart and see the first bit of text on screen, eventually you should get the startup menu, select Safe Mode with your arrow key, and then hit the Enter key once, give it plenty of time to reach the desktop.

    Do this:

    Double-click on the My Computer icon.
    Select the Tools menu and click Folder Options.
    After the new window appears select the View tab.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.
    Press the Apply button and then the OK button and close My Computer.

    Do NOT restart. Stay in Safe Mode....
    _________-
    Run Hijackthis, and put checks next to all of these items, then click "Fix checked" .... have all other windows closed when you fix things.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ls0.net/home.html (obfuscated)
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 3466709097 auto.search.msn.com
    O1 - Hosts: 3466709097 sitefinder.verisign.com
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O1 - Hosts: 3466709097 www.your.com
    O1 - Hosts: 3466709097 your.com
    O1 - Hosts: 3466690378 ad.doubleclick.net
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com

    O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINNT\System32\sfg_4811.dll

    O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)


    O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe" /s
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_4811.dll"
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\System32\sfg_4811.dll"


    In Windows Explorer, navigate to the folders shown holding these files, and delete the files at the ends of the lines from those folders:

    C:\WINNT\System32\sfg_4811.dll
    C:\PROGRA~1\SPYWAR~1\Spyware-Cop.exe

    And delete the C:\Program Files\SpywareCop folder.
    ____________________
    Now, run AboutBuster.exe, it will scan and remove if it finds anything bad.
    _____________________
    Run CWShredder> use the "FIX" button, not scan only. It will scan and may remove something, or it will tell you the system was clean.


    Open your Control Panel>Internet Options>Delete Files and also "Delete all offline content".

    Internet Options> Advanced> Restore Defaults.

    You can also Reset Web Settings in Internet Options>Programs.



    Restart the computer back to normal mode...

    You will need AdAware SE personal edition v. 1.05
    This one will not fit on a floppy disk, so try the Internet...let me know if you can get online.

    If you can, do not hesitate to use an online scanner:

    http://housecall.antivirus.com/housecall/start_corp.asp

    Use the AUTOCLEAN setting and scan all hard drives.


    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Post a new Hijackthis log when you are done.

    If you can download, and need AdAware SE>

    http://www.majorgeeks.com/download506.html

    AdAware:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/346093

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice