|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
How to re-install Info32.exe?
|
Original Message
|
Name: Greensky
Date: September 27, 2003 at 09:07:19 Pacific
Subject: How to re-install Info32.exe?OS: beats meCPU/Ram: beats me |
Comment: I get this a lot, where my computer says "couldn't find file "Info32.exe". And apparently, without Info32.exe, your internet goes really slow... I've fixed this problem before, but I couldn't find the thread that explained how to fix this problem, so I'm posting a new topic. If anyone knows how to fix this Info32.exe file, please let me know.
Report Offensive Message For Removal
|
|
Response Number 3
|
Name: Tom41
Date: September 28, 2003 at 01:40:25 Pacific
|
Reply: (edit)Info32.exe is a new variant of the CoolWebSearch hijacker. CWShredder has just been updated to detect and remove this variant but may not remove all of it. (We haven't gotten copies of all the files involved yet) Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: Greensky
Date: September 28, 2003 at 08:26:59 Pacific
|
Reply: (edit)I know that this problem can be fixed manually, by going into a certain directory and deleting the "RUN Info35.exe" command. I've done it before, but I forget which directory it's under.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: Greensky
Date: September 28, 2003 at 08:29:13 Pacific
|
Reply: (edit)Also, ever since my hijacking, I havn't been able to download ANY files whatsoever. So I can't download HijackThis! from this computer. I'll have to find another computer, download it there, save it to a disk, and put it into my current computer.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: Tom41
Date: September 28, 2003 at 08:48:44 Pacific
|
Reply: (edit)Hi Greensky, This doesn't sound like a simple Coolweb hijack..More like a virus. If you can't download Hijack, try this: First, Click Start > Run > type msinfo32 and click OK. Click Software Enviroment then Startup Programs. Click edit, select all, edit, copy. Then paste it to notepad. Then click on running tasks and do the same. Then copy and paste it into a reply.
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: Greensky
Date: September 28, 2003 at 14:16:15 Pacific
|
Reply: (edit)Ok, here's what I got: WinZip Quick Pick Startup Group "C:\Program Files\WinZip\WZQKPICK.EXE" GStartup Startup Group "C:\Program Files\Common Files\GMT\GMT.exe" /startup PowerReg Scheduler V3.exe Startup Group C:\Windows\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe run Win.ini info32.exe ScanRegistry Registry (Machine Run) c:\windows\scanregw.exe /autorun TaskMonitor Registry (Machine Run) c:\windows\taskmon.exe SystemTray Registry (Machine Run) SysTray.Exe LoadPowerProfile Registry (Machine Run) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme TgAddServer Registry (Machine Run) "C:\@Home\tioga\bin\tgshell.exe" /fds "http:\\www\download\tioga" RealTray Registry (Machine Run) C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER CC2KUI Registry (Machine Run) C:\PROGRA~1\COMET\BIN\CSTRAY.EXE QuickTime Task Registry (Machine Run) C:\WINDOWS\SYSTEM\QTTASK.EXE WinampAgent Registry (Machine Run) "C:\PROGRAM FILES\WINAMP\WINAMPa.exe" EM_EXEC Registry (Machine Run) C:\MOUSE\SYSTEM\EM_EXEC.EXE WhenUSave Registry (Machine Run) C:\PROGRA~1\SAVE\Save.exe StillImageMonitor Registry (Machine Run) C:\WINDOWS\SYSTEM\STIMON.EXE Share-to-Web Namespace Daemon Registry (Machine Run) c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe CMESys Registry (Machine Run) "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE" P2P NETWORKING Registry (Machine Run) C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART AltnetPointsManager Registry (Machine Run) C:\Program Files\Altnet\Points Manager\Points Manager.exe -s Tapicfg.exe Registry (Machine Run) \tapicfg.exe LoadPowerProfile Registry (Machine Service) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent Registry (Machine Service) mstask.exe Kernel32.dll 4.10.2222 Microsoft Corporation Win32 Kernel core component C:\WINDOWS\SYSTEM\Kernel32.dll 4.3 Microsoft(R) Windows(R) Operating System MSGSRV32.EXE 4.10.2222 Microsoft Corporation Windows 32-bit VxD Message Server C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.0 Microsoft(R) Windows(R) Operating System Mprexe.exe 4.10.1998 Microsoft Corporation WIN32 Network Interface Service Process C:\WINDOWS\SYSTEM\Mprexe.exe 4.0 Microsoft(R) Windows(R) Operating System Mstask.exe 4.71.1972.1 Microsoft Corporation Task Scheduler Engine C:\WINDOWS\SYSTEM\Mstask.exe 4.0 Microsoft® Windows® Task Scheduler MMTASK.TSK 4.03.1998 Microsoft Corporation Multimedia background task support module C:\WINDOWS\SYSTEM\MMTASK.TSK 4.0 Microsoft Windows Explorer.exe 4.72.3110.1 Microsoft Corporation Windows Explorer C:\WINDOWS\Explorer.exe 4.0 Microsoft(R) Windows NT(R) Operating System Internat.exe 4.80.3008.1 Microsoft Corporation Internat C:\WINDOWS\SYSTEM\Internat.exe 4.0 Microsoft(R) Windows NT(R) Operating System Taskmon.exe 4.10.1998 Microsoft Corporation Task Monitor C:\WINDOWS\Taskmon.exe 4.0 Microsoft(R) Windows(R) Operating System Systray.exe 4.10.2222 Microsoft Corporation System Tray Applet C:\WINDOWS\SYSTEM\Systray.exe 4.0 Microsoft(R) Windows(R) Operating System Realplay.exe 6.0.9.584 RealNetworks, Inc. RealPlayer C:\PROGRAM FILES\REAL\REALPLAYER\Realplay.exe 4.0 RealPlayer (32-bit) Cstray.exe 1, 0, 0, 1 Comet Systems cstray C:\PROGRAM FILES\COMET\BIN\Cstray.exe 4.0 Comet Systems cstray Qttask.exe C:\WINDOWS\SYSTEM\Qttask.exe 4.0 Winampa.exe C:\PROGRAM FILES\WINAMP\Winampa.exe 4.0 Em_exec.exe 8.21.573 Logitech Inc. Control Center C:\MOUSE\SYSTEM\Em_exec.exe 4.0 MouseWare Save.exe 2, 5, 3, 1 WhenU.com, Inc. Save! C:\PROGRAM FILES\SAVE\Save.exe 4.0 Save! Stimon.exe 4.10.2222 Microsoft Corporation Still Image Devices Monitor C:\WINDOWS\SYSTEM\Stimon.exe 4.0 Microsoft(R) Windows(R) Operating System Hpgs2wnd.exe 2,3,0,0\ 161 Hewlett-Packard hpgs2wnd C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\Hpgs2wnd.exe 4.0 Hewlett-Packard hpgs2wnd P2p networking.exe 1, 23, 10, 40 Joltid Ltd. P2P Networking C:\WINDOWS\SYSTEM\P2P NETWORKING\P2p networking.exe 4.0 P2P Networking Points manager.exe 1, 0, 0, 108 ( Peer Points Manager C:\PROGRAM FILES\ALTNET\POINTS MANAGER\Points manager.exe 4.0 Peer Points Manager Wzqkpick.exe 1.0 (32-bit) WinZip Computing, Inc. WinZip Executable C:\PROGRAM FILES\WINZIP\Wzqkpick.exe 4.0 WinZip Gmt.exe 3.1.2.4 The Gator Corporation Gator Client Application C:\PROGRAM FILES\COMMON FILES\GMT\Gmt.exe 4.0 GAIN Hpgs2wnf.exe 2, 6, 0, 161 $ hpgs2wnf Module C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\Hpgs2wnf.exe 4.0 hpgs2wnf Module Pstores.exe 5.00.1877.3 Microsoft Corporation Protected storage server C:\WINDOWS\SYSTEM\Pstores.exe 4.0 Microsoft(R) Windows NT(R) Operating System Wmiexe.exe 5.00.1755.1 Microsoft Corporation WMI service exe housing C:\WINDOWS\SYSTEM\Wmiexe.exe 4.0 Microsoft(R) Windows NT(R) Operating System Fdaagent.exe C:\PROGRAM FILES\FREE DOWNLOADS ACCELERATOR\Fdaagent.exe 4.0 Ddhelp.exe 4.08.01.0881 Microsoft Corporation Microsoft DirectX Helper C:\WINDOWS\SYSTEM\Ddhelp.exe 4.0 Microsoft® DirectX for Windows® 95 and 98 Winamp.exe 2.80 Nullsoft Winamp C:\PROGRAM FILES\WINAMP\Winamp.exe 4.0 Winamp Msinfo32.exe 4.10.2222 Microsoft Corporation MSInfo32 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe 4.0 Microsoft System Information Notepad.exe 4.10.1998 Microsoft Corporation Windows Notepad application file C:\WINDOWS\Notepad.exe 4.0 Microsoft(R) Windows(R) Operating System
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: Tom41
Date: September 28, 2003 at 15:41:04 Pacific
|
Reply: (edit) Click Start > Run > type win.ini and click OK. Edit the Run= Info32.exe line so it reads Run=. (There should be nothing to the right of Run=)
Close the win.ini and save the changes. Reboot. Then see if you can download and run CWShredder: CWShredder
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: Greensky
Date: September 29, 2003 at 07:46:49 Pacific
|
Reply: (edit)Ok, I did that, and now I'm not getting the "msinfo" message when I log on anymore, but, my internet is still going slow, especially when I try to highlight something or type something into a search (like yahoo, google, ebay etc.). Scrolling down a page is horrible for me now. It used to be smooth and easy, but now it's really rough and slow. Also, I still cannot download anything at all. So besides fixing the message that I got during start-up, all of my other conditions seem to be here still. And I downloaded CWShredder on another comp and transfered it to this comp, I opened it, it did what it was supposed to, killed registries etc. But it still didn't help with my new internet/typing lag, or my downloading troubles.
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: Tom41
Date: September 29, 2003 at 09:08:11 Pacific
|
Reply: (edit)Do this, First check your security settings. Click Tools > Internet Options > Security tab For Internet Zone, If it shows "Custom level" under "Security level for this zone", click the Custom Level button and scroll through the list and make sure "File Downloads" is enabled. Also: Click Start > Run > type regedit and click OK. Click the + next to the following keys: HKEY_LOCAL_MACHINE Software Microsoft Internet Explorer Plugins Scroll down and click on the Extension folder. Is there anything listed other than default in the right hand window? Is there a + sign next to the Extension folder?
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: Tom41
Date: September 29, 2003 at 09:23:15 Pacific
|
Reply: (edit)Keep forgetting to ask, What happens when you try to download something? Do you get an error message? Does IE close?
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: Greensky
Date: September 29, 2003 at 12:09:40 Pacific
|
Reply: (edit)No, nothing happens at all when I try to download something. There used to be a pop up box saying "Open" and "Save", but that doesn't show up anymore...
Report Offensive Follow Up For Removal
|
|
Response Number 16
|
Name: Tom41
Date: September 29, 2003 at 13:15:36 Pacific
|
Reply: (edit)Try doing a repair of Internet Explorer. Go to Add/Remove Programs and double click on Internet Explorer *X and Internet Tools. Choose the repair option. * The X will be whatever version of IE you are using.
Report Offensive Follow Up For Removal
|
|
Response Number 18
|
Name: Stew66
Date: September 29, 2003 at 14:08:51 Pacific
|
Reply: (edit)Glad you all are working on this. I started having similar problems this morning. Same error messages. I can download, but IE doesn't work most of the time...wants to go somewhere I've never specified. Anyway, I managed to run HijackThis and got a 5-page log file. What should we be looking for...or you want to see?
Report Offensive Follow Up For Removal
|
|
Response Number 19
|
Name: Tom41
Date: September 29, 2003 at 14:39:14 Pacific
|
Reply: (edit)Greensky Click Start > Settings > Control Panel > Add/Remove Programs. Stew66 To save space, email me your HijackThis log. Click my name for the email addy.
Report Offensive Follow Up For Removal
|
|
Response Number 20
|
Name: Greensky
Date: September 29, 2003 at 15:32:01 Pacific
|
Reply: (edit)Yes! I can finally download files again! Thanks a lot Tom! But my Internet is still slow typing and slow scrolling on pages... It's pretty annoying too. If I can just get rid of this problem, my comp will be back to normal again.
Report Offensive Follow Up For Removal
|
|
Response Number 23
|
Name: srw1071
Date: September 30, 2003 at 03:57:23 Pacific
|
Reply: (edit)Thankgod I've found this thread. Please keep this running to its conclusion... I've got all the same problems. The slow internet access is a real pain. I'll try some of the solutions suggested on this list. Cheers.
Report Offensive Follow Up For Removal
|
|
Response Number 24
|
Name: Greensky
Date: September 30, 2003 at 07:55:30 Pacific
|
Reply: (edit)Well, I woke up this morning, only to find that my homepage was set to "about:blank". This happens every single day! I have to re-run CWShredder, it removes the directories and files, and temporarily fixes the problem, but then, the nexy day, it's all back again. So, that really stinks. Also, I tried all of the things listed above, but my internet typing, scrolling, and highlighting is still horribly slow. It's not the actual internet that's lagging. It goes to pages fast, loads things fast, but the prolem is exactly what I listed above. I used the Spybot program, to find that I had quite a lot of red files. However, fixing these files didn't seem to fix my problem. Here's a more detailed description of my typing problem if you think it would help: My typing is fine on some applications (such as this forum, but not on other forums), but when I type in a search bar, or usually a forum, I type from my keyboard, and the typing cursor mooves very slowly across the page (left to right), not showing any letters until it finally stops mooving. I would say that it takes about 1 minute to load a normal sentence. It's incredibly frusterating. If I try highlighting something, it'll take about 1 minute to show up, or it simply won't show at all. If anyone has any more suggestions, I'll be glad to take them.
Report Offensive Follow Up For Removal
|
|
Response Number 25
|
Name: Tom41
Date: September 30, 2003 at 10:29:52 Pacific
|
Reply: (edit)Hi Greensky, Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!
Report Offensive Follow Up For Removal
|
|
Response Number 26
|
Name: Derek
Date: September 30, 2003 at 11:01:54 Pacific
|
Reply: (edit)Greensky and others. Keep posting back. This is obviously turning out to be a difficult nut to crack totally. Tom41 has shown good solid, sensible, support and has my admiration for sticking like glue to this problem. I feel sure there this will result a satisfactory solution. Great work Tom41. Derek
Report Offensive Follow Up For Removal
|
|
Response Number 27
|
Name: Greensky
Date: September 30, 2003 at 14:54:02 Pacific
|
Reply: (edit)Logfile of HijackThis v1.97.2 Scan saved at 4:01:03 PM, on 30/09/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE C:\PROGRAM FILES\ALTNET\POINTS MANAGER\POINTS MANAGER.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7 O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [TgAddServer] "C:\@Home\tioga\bin\tgshell.exe" /fds "http:\\www\download\tioga" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: PowerReg Scheduler V3.exe O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: Dialpad KR Java Applet - http://www.dialpad.co.kr/applet/vscp.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.7910532407 O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O19 - User stylesheet: C:\WINDOWS\Web\win.def
Report Offensive Follow Up For Removal
|
|
Response Number 28
|
Name: Richard
Date: September 30, 2003 at 15:06:46 Pacific
|
Reply: (edit)This does seem to be a problem. I have the same message on re-boot each day, my IE homepage won`t save and I`ve lost the ability to run a rpogram or two that were CD based. I`ll try the Hijak This option unless anyone else comes up with some other suggestion. I also seem to be bombarded with messages supposedly from Microsoft. 71 messages so far since Saturday morning with 22 yesterday. Those very few that I have looked at (that was probably a mistake) have totally incomprehensible e-mail addresses. Two for example are osnwaqqnzc@confidence.ms.com. bndedbodtpmbqsl@advisor.msdn.com. I don`t even open any of them now. Any ideas on how to stop them?
Report Offensive Follow Up For Removal
|
|
Response Number 29
|
Name: Tom41
Date: September 30, 2003 at 15:51:37 Pacific
|
Reply: (edit)Greensky, 1. Uninstall Comet Cursor, Altnet Download Manager and Peer Points. 2. Run HT again and check the following items. (Not all of them may be listed after uninstalling the above) Next, close all browser Windows, and have HT fix all checked. O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file) O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - Startup: PowerReg Scheduler V3.exe O19 - User stylesheet: C:\WINDOWS\Web\win.def After restarting, delete the following: tapicfg.exe C:\Program Files\Altnet folder C:\WINDOWS\SYSTEM\P2P NETWORKING folder The contents of C:\Windows\Temp
Report Offensive Follow Up For Removal
|
|
Response Number 31
|
Name: Stew66
Date: September 30, 2003 at 19:41:42 Pacific
|
Reply: (edit)Hey, All. I want to repeat Derek's kudos for Tom41: he's been a great help. I seem to have got CSW out my system, but my IE still starts off very slowly with a proxy server (8080) that I've not specified. (Netscape works great.) Still working on Spybot and will be looking for help from my ISP when my phones are back up...electronic purgatory. Will post an update when available.
Report Offensive Follow Up For Removal
|
|
Response Number 32
|
Name: Jen
Date: October 1, 2003 at 03:29:40 Pacific
|
Reply: (edit)Just wanted to add my 'voice'...This morning I got the "couldn't find file Info32.exe" message when I booted up my computer. I'm going to follow all the suggestions above. Just for the record, I discovered that my son had been visiting porn sites on my PC yesterday afternoon (he's in big trouble!!!) so am sure its some kind of trojan/spyware...I've just updated my Anti-Trojan software and Spybot, so will also be running those. My homepage was also set to "about:blank" instead of my normal homepage and yet opened on a site called "www.luckysearch.net". Will keep you posted.
Report Offensive Follow Up For Removal
|
|
Response Number 33
|
Name: Dan77
Date: October 1, 2003 at 04:30:40 Pacific
|
Reply: (edit)Hi Tom, I'm having the same problem as others. I keep getting the message file info32.exe is missing whenever i boot up. here is my hijackthis log. Logfile of HijackThis v1.97.2 Scan saved at 9:16:46 PM, on 1/10/2003 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ABCD.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\CMMPU.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hunterlink.net.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dodo Internet R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated) F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\SYSTEM\cmmpu.exe O1 - Hosts: 66.28.33.54 auto.search.msn.com O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing) O2 - BHO: (no name) - {27A5FF76-9919-492C-98E3-EDA3502FC829} - C:\WINDOWS\SYSTEM\ML_32.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Gator] "C:\Program Files\Gator.com\Gator\Gator.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [LanLite] lanlite.exe O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] c:\program files\netscape\communicator\Program\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [od-stnd59] c:\program files\Webdialer\od-stnd59.exe -m O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll O14 - IERESET.INF: START_PAGE_URL=http://www.hunterlink.net.au O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://www.rsvp.com.au:4080/chat/data/html/user/msie/msichat.ocx O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {09C1A291-8E2A-11D0-BB0B-00AA001F4283} (Pinger Class) - http://www1.pcpitstop.com/Ping.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - http://econnect.libereco.net/econnect.cab O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2 O19 - User stylesheet: C:\WINDOWS\Web\win.def Hope you can help me.
thanx.
Report Offensive Follow Up For Removal
|
|
Response Number 34
|
Name: Jen
Date: October 1, 2003 at 06:58:49 Pacific
|
Reply: (edit)Should I also paste the log file from "Hijack This"? I've checked for Trojans and Spyware and my system is clean.
Report Offensive Follow Up For Removal
|
|
Response Number 35
|
Name: Jen
Date: October 1, 2003 at 07:05:53 Pacific
|
Reply: (edit)Tom41, In response 8, you wrote "Edit the Run= Info32.exe line so it reads Run=. (There should be nothing to the right of Run=)" -- My win.ini file has not only the Info32.exe next to 'Run', but also "C:\WINDOWS\SYSTEM\cmmpu.exe", should I leave "cmmpu.exe" or take that reference away too?
Report Offensive Follow Up For Removal
|
|
Response Number 36
|
Name: Greensky
Date: October 1, 2003 at 08:06:31 Pacific
|
Reply: (edit)Tom, I havn't deleted what you listed yet, mainly because I couldn't find any trace of those programs on my computer... But also, I'd like to point out that at least two out of three of the programs you listed are from Kazaa Media Player. If I delete those files, Kazaa becomes un-usable. Could this problem have something to do with Kazaa? Also, maybe you could find another way for me to find those files on my computer. I tried searching for them with "Find", but no luck. Jen, I wouldn't go too hard on him. It's like a built-in male quality (yes, males are sick :P). Heck, I don't know a single male friend of mine who doesn't look at pornographic material. Perhaps it's society's influence on making it sound so ordinary. For example, popular hit Television shows like "Friends" and "That 70's Show" have situations where the male characters are watching or reading pornography, as if it's an every day occurance.
Report Offensive Follow Up For Removal
|
|
Response Number 37
|
Name: Tom41
Date: October 1, 2003 at 08:07:10 Pacific
|
Reply: (edit)Hi Jen, Yes, Just copy & paste your log in a reply. Yes also to leaving the C:\WINDOWS\SYSTEM\cmmpu.exe reference in the win.ini file.
Report Offensive Follow Up For Removal
|
|
Response Number 38
|
Name: Tom41
Date: October 1, 2003 at 08:15:39 Pacific
|
Reply: (edit)Dan77 First, Click Start > Run > type win.ini and click OK. Edit the run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\SYSTEM\cmmpu.exe line so it reads run=C:\WINDOWS\SYSTEM\cmmpu.exe. Close the win.ini and save the changes. Then download and run CWShredder and reboot. CWShredder After running CWShredder, install, update and run Spybot-S&D. Have Spybot fix all red entries it lists and reboot. Spybot Run HT again and post a new log.
Report Offensive Follow Up For Removal
|
|
Response Number 39
|
Name: steveas
Date: October 1, 2003 at 08:29:00 Pacific
|
Reply: (edit)Tom, Ditto, I have the exact same problem 1)"can't load or run info32.exe 2)IE automatically resets its homepage to www.luckysearch.com 3)internet is slow and jumpy
Report Offensive Follow Up For Removal
|
|
Response Number 40
|
Name: Tom41
Date: October 1, 2003 at 08:56:00 Pacific
|
Reply: (edit)Greensky, have you searched hidden files and folders? Click Start > Settings > Folder options > View tab. Check 'Show hidden files'. When searching, check 'Include subfolders'. If you still can't find them, uninstall Kazaa and fix everything listed above.
Report Offensive Follow Up For Removal
|
|
Response Number 42
|
Name: richard
Date: October 1, 2003 at 11:19:06 Pacific
|
Reply: (edit)Tom 41 Re your response 30 to me, here is the log: Logfile of HijackThis v1.97.2 Scan saved at 19:16:51, on 01/10/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SVCINIT.EXE C:\WINDOWS\SYSTEM\MVHV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\VPDP.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\E_S10IC2.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\WINDOWS\WINGATE.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE C:\WINDOWS\SVCHOST.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SLLIGHTS.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezcybersearch.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ezcybersearch.com/search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/ R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated) F1 - win.ini: run=C:\WINDOWS\svcinit.exe O1 - Hosts: 645238813 xuto.search.msn.com O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\WINDOWS\TEMP\MSFECO.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(1)(1)(1).exe O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [HotPix2] c:\program files\dialers\hotpix2\hotpix2.exe /noconnect O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - HKLM\..\Run: [nuedhjvux] vpdp.exe autorun O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [Login Service] C:\windows\wingate.exe O4 - HKLM\..\RunOnce: [ehl] mvhv.exe O4 - Startup: kyi.exe O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O19 - User stylesheet: C:\WINDOWS\Web\win.def Hope you can help me, or it`s back to the re-install disks Richard
Report Offensive Follow Up For Removal
|
|
Response Number 43
|
Name: Tom41
Date: October 1, 2003 at 11:38:11 Pacific
|
Reply: (edit)richard, Before we start removing any of this mess that you have, go here and run an online virus scan. Copy the log and paste it in a reply. You have two possibly three different viruses that we need to positively identify. Let me know if you are unable to run the scan. RAV
Report Offensive Follow Up For Removal
|
|
Response Number 44
|
Name: jovirulez
Date: October 1, 2003 at 11:38:44 Pacific
|
Reply: (edit)here is mine * HijackThis v1.97 * Written by Merijn - merijn@spywareinfo.com http://www.spywareinfo.com/~merijn/files/hijackthis.zip http://www.spywareinfo.com/~merijn/index.html See below version history for short info on hijack sections. * Version history * [v1.96] * Lots of bugfixes and small enhancements! Among others: * Fix for Japanese IE toolbars * Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's * O19 (user stylesheet) now only checks for known bad filenames * Attributes on Hosts file will now be restored when scanning/fixing/restoring it. * Added several files to the LSP whitelist * Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart * All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list [v1.95] * Added a new regval to check for from Whazit hijack (Start Page_bak). * Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap). * New in logfile: Running processes at time of scan. * Checkmarks for running StartupList with /full and /complete in HijackThis UI. * New O19 method to check for Datanotary hijack of user stylesheet. * Google.com IP added to whitelist for Hosts file check. [v1.94] * Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems. * Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!). * Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist. * Fixed a bug where DPF could not be deleted. * Fixed a stupid bug in enumeration of autostarting shortcuts. * Fixed info on Netscape 6/7 and Mozilla saying '%s---browser%' (oops). * Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered. * Added support for backing up F0 and F1 items (d'oh!). [v1.93] * Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist. * Fixed a bug in LSP routine for Win95. * Made taborder nicer. * Fixed a bug in backup/restore of IE plugins. * Added UltimateSearch hijack in O17 method (I think). * Fixed a bug with detecting/removing BHO's disabled by BHODemon. * Also fixed a bug in StartupList (now version 1.52.1). [v1.92] * Fixed two stupid bugs in backup restore function. * Added DiamondCS file to LSP files safelist. * Added a few more items to the protocol safelist. * Log is now opened immediately after saving. * Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow). * Updated integrated StartupList to v1.52. * In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted. * Rudimentary proxy support for the Check for Updates function. [v1.91] * Added rd.yahoo.com to the Nonstandard But Safe Domains list. * Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18). * Added listing of programs/links in Startup folders (O4). * Fixed 'Check for Update' not detecting new versions. [v1.9] * Added check for Lop.com 'Domain' hijack (O17). * Bugfix in URLSearchHook (R3) fix. * Improved O1 (Hosts file) check. * Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys. * Added AutoConfigURL and proxyserver checks (R1). * IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected. * Added check for extra protocols (O18). [v1.81] * Added 'ignore non-standard but safe domains' option. * Improved Winsock LSP hijackers detection. * Integrated StartupList updated to v1.4. [v1.8] * Fixed a few bugs. * Adds detecting of free.aol.com in Trusted Zone. * Adds checking of URLSearchHooks key, which should have only one value. * Adds listing/deleting of Download Program Files. * Integrated StartupList into the new 'Misc Tools' section of the Config screen! [v1.71] * Improves detecting of O6. * Some internal changes/improvements. [v1.7] * Adds backup function! Yay! * Added check for default URL prefix * Added check for changing of IERESET.INF * Added check for changing of Netscape/Mozilla homepage and default search engine. [v1.61] * Fixes Runtime Error when Hosts file is empty. [v1.6] * Added enumerating of MSIE plugins * Added check for extra options in 'Advanced' tab of 'Internet Options'. [v1.5] * Adds 'Uninstall & Exit' and 'Check for update online' functions. * Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service) [v1.4] * Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer * A few bugfixes/enhancements [v1.3] * Adds detecting of extra MSIE context menu items * Added detecting of extra 'Tools' menu items and extra buttons * Added 'Confirm deleting/ignoring items' checkbox [v1.2] * Adds 'Ignorelist' and 'Info' functions [v1.1] * Supports BHO's, some default URL changes [v1.0] * Original release A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes. The different sections of hijacking possibilities have been separated into these groups: R - Registry, StartPage/SearchPage changes R0 - Changed registry value R1 - Created registry value R2 - Created registry key R3 - Created extra registry value where only one should be F - IniFiles, autoloading entries F0 - Changed inifile value F1 - Created inifile value N - Netscape/Mozilla StartPage/SearchPage changes N1 - Change in prefs.js of Netscape 4.x N2 - Change in prefs.js of Netscape 6 N3 - Change in prefs.js of Netscape 7 N4 - Change in prefs.js of Mozilla O - Other, several sections which represent: O1 - Hijack of auto.search.msn.com with Hosts file O2 - Enumeration of existing MSIE BHO's O3 - Enumeration of existing MSIE toolbars O4 - Enumeration of suspicious autoloading Registry entries O5 - Blocking of loading Internet Options in Control Panel O6 - Disabling of 'Internet Options' Main tab with Policies O7 - Disabling of Regedit with Policies O8 - Extra MSIE context menu items O9 - Extra 'Tools' menuitems and buttons O10 - Breaking of Internet access by New.Net or WebHancer O11 - Extra options in MSIE 'Advanced' settings tab O12 - MSIE plugins for file extensions or MIME types O13 - Hijack of default URL prefixes O14 - Changing of IERESET.INF O15 - Trusted Zone Autoadd O16 - Download Program Files item O17 - Domain hijack O18 - Enumeration of existing protocols O19 - User stylesheet hijack
Report Offensive Follow Up For Removal
|
|
Response Number 46
|
Name: Jovirulez
Date: October 1, 2003 at 11:42:48 Pacific
|
Reply: (edit)Logfile of HijackThis v1.97.2 Scan saved at 2:46:31 PM, on 10/1/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\SYSTEM\USBMMKBD.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\PILOT MOUSE WHEEL SCROLL\4DMAIN.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE C:\UNZIPPED\CWSHREDDER\CWSHREDDER.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?pgdoc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?pgdoc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?pgdoc (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?pgdoc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?pgdoc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?pgdoc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?pgdoc (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?pgdoc about:blank (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?pgdoc (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.white-pages.ws/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?pgdoc (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?pgdoc (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?pgdoc (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/ R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?pgdoc (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?pgdoc (obfuscated) F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe O1 - Hosts: 3510794918 auto.search.msn.com O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINDOWS\DOWNLO~1\MQGOLD1.DLL O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE O4 - HKLM\..\Run: [Trickler] "c:\program files\divx\divx pro codec\gain_trickler_3202.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: RealGuide (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.800625 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab O19 - User stylesheet: C:\WINDOWS\Web\win.def
Report Offensive Follow Up For Removal
|
|
Response Number 47
|
Name: Tom41
Date: October 1, 2003 at 11:49:53 Pacific
|
Reply: (edit)Jovirulez First, Go to Add/Remove Programs and uninstall New.net. Then download and run CWShredder and reboot. CWShredder Finally install, update and run Spybot-S&D. Have Spybot fix all red entries it lists. Spybot
Report Offensive Follow Up For Removal
|
|
Response Number 48
|
Name: phil500
Date: October 1, 2003 at 11:55:30 Pacific
|
Reply: (edit)Hi all. Been following thread with quite some interest, as I have been plauged by the 'luckysearch.net default' problem. I have completly got rid of this hijack, which I believe was delivered by a virus - all inter-linked to making 'www.luckysearch.net' the default page in IE web-browser. Took 2 hours, but was greatly helped by this thread - thanks especially Tom for your valuable info. The following information could potentially help anyone having any or all of the symptoms descriebd in this thread. ---------------- Being a keen visitor of attractivebabes.com, a high-class, completely free and pop-up free softcore porn site, I decided to visit one of the recommended links. The site I visited seemed fine in itself, but when clicking on further links, ie windows started exploding all over the place. Deciding that it was a really bad idea, I began closing windows as fast as they opened. During one I got a small dialog box with just a 'OK' button. It said something like 'Automatic FTP download beginning' etc.. following by strings of what looked like hex strings. I am sure this is what started the problems... Anyway........to cut a long story short, the default page became constantly set to luckysearch.net. When clicking the 'use default in 'Internet options' I found the defualt was indeed luckysearch.net. Using AntiVir (really good free anti-virus scanning and protection) I found that I had a trojan - called 'startpage.y' I am 90% positive that this is realated to the info32.exe file. I've deleted the trojan, bogus files, and updated my win.ini file. However, if you're interested in how it got there in the first place and how to protect against further insertions, read on! The trojan and .exe file got through because of a security hole in microsofts virtual machine, which java uses in IE. It allows code to be run on a users compuer with them having no knowledge whatsoever of it even happening. Info and patch for this can be found here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp Interestingly enough, although I use windows update regularly, it has never identified this patch as needed, although I dont have it, and microsoft lists it as critical!!! Furthermore, I could only download this patch by clicking on 'Additional info. about this patch' link and tinkering around in there for ages, and then being redirected to a similar article. Finally, I found a downloadable link. If you're having the same problems, go to: http://support.microsoft.com/default.aspx?scid=kb;en-us;816093 and click on the link for network administrators. Absolutely long winded, but you should be able to get the download form there. Well, hope this long explanation helps, probably not explained very well, but I think I've covered everything. After installing the microsoft patch I ran antivir again, as well as adaware, the cwshredder and also spybot, just to be certain it had been removed. Also, delete some of the registry enteries as described in the first microsoft article link I've added here.
Report Offensive Follow Up For Removal
|
|
Response Number 49
|
Name: Jen
Date: October 1, 2003 at 12:54:52 Pacific
|
Reply: (edit)Tom41, I think I may have corrected the problem, but will paste the HijackThis.log file here anyway coz you'll know better than me. (Greensky, if my son was a teenager, I may not have said anything, but he's only 8!!! No more unsupervised internet for him!!!) Here's the HijackThis.log...
Logfile of HijackThis v1.97.2 Scan saved at 09:46:27, on 2003/10/01 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.EXE C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\FMCTRL.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\RunDLL.exe D:\PROGRAMMES\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE D:\PROGRAMMES\ZONE LABS\ZONEALARM\ZONEALARM.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mweb.co.za/home/default.aspx R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL (disabled by BHODemon) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL (disabled by BHODemon) O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [hpbrdetect] C:\Program Files\Hewlett-Packard\HP Web PrintSmart\brdetect.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE O4 - HKLM\..\Run: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRAMMES\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe O4 - Global Startup: ZoneAlarm.lnk = D:\Programmes\Zone Labs\ZoneAlarm\zonealarm.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer
| |