Help me with common hijacker,please!

Discussion in 'adware, spyware & hijack cleaning' started by Heidi, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Heidi

    Heidi Registered Member

    Joined:
    May 27, 2004
    Posts:
    2
    I am not so good with computers (or english language) but i hope i've done everything right... Please help, i hate what this common hijacker does to my computer. The homepage (www.google.fi) keeps changing to http://www.search-for-you.com/ and i can't open all internetpages i could before and i can't update windows.

    I ran first Spybot S&D (many thimes) and then Ad-aware (also many times).

    My HijackThis log (ohjelmatiedostot is finnish and means in english program files):

    Logfile of HijackThis v1.97.7
    Scan saved at 20:54:51, on 27.5.2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ESM2\SAGENT95.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
    C:\ESM2\EBRR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\OHJELMATIEDOSTOT\WINAMP3\WINAMPA.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
    C:\OHJELMATIEDOSTOT\YHTEISET TIEDOSTOT\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\ESM2\STMS.EXE
    C:\OHJELMATIEDOSTOT\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
    C:\OHJELMATIEDOSTOT\OPENOFFICE.ORG1.0\PROGRAM\SOFFICE.EXE
    C:\WINDOWS\SYSTEM\SYSTEMP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
    C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
    C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\OHJELM~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\OHJELM~1\YHTEIS~1\REAL\TOOLBAR\REALBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\ohjelmatiedostot\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CHIPSStart] CHPSTART.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Ohjelmatiedostot\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\OHJELM~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [websx] C:\OHJELMATIEDOSTOT\WEBSX\INT164706.EXE -auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Ohjelmatiedostot\Yhteiset tiedostot\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [svshost] C:\WINDOWS\SYSTEM\svshost.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent95ExePath] C:\ESM2\SAgent95.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wupdmgr.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
    O4 - Startup: OpenOffice.org 1.0.lnk = C:\Ohjelmatiedostot\OpenOffice.org1.0\program\quickstart.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Ohjelmatiedostot\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - WWW. Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38027.9046064815
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/fi/win/QuickTimeFullInstaller.exe
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1014_EN.cab
     
    Heidi, May 27, 2004
    #1
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fi.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)

    O4 - HKLM\..\Run: [svshost] C:\WINDOWS\SYSTEM\svshost.exe

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - WWW. Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

    Reboot, and delete the file C:\WINDOWS\SYSTEM\svshost.exe. Note the EXACT spelling! Do not delete the file svChost.exe!

    As there are traces of a Coolweb infestation, please download CWShredder
    This was written to deal with Coolweb and all its variants.

    Download and run the program. Let it fix everything it finds, and reboot.

    Run Hijack this again, and post a fresh log so we can check that you are cleaned up.
     
    dave38, May 27, 2004
    #2
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Heidi,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)

    O4 - HKLM\..\Run: [websx] C:\OHJELMATIEDOSTOT\WEBSX\INT164706.EXE -auto

    O4 - HKLM\..\Run: [svshost] C:\WINDOWS\SYSTEM\svshost.exe

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - WWW. Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1014_EN.cab

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    C:\OHJELMATIEDOSTOT\WEBSX <= entire folder
    C:\WINDOWS\SYSTEM\svshost.exe

    Regards,

    Pieter
     
    Pieter_Arntz, May 27, 2004
    #3
  4. Heidi

    Heidi Registered Member

    Joined:
    May 27, 2004
    Posts:
    2
    Thank you so much! Here is the new log, I really hope it's ok now:


    Logfile of HijackThis v1.97.7
    Scan saved at 22:25:59, on 30.5.2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ESM2\SAGENT95.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
    C:\ESM2\EBRR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\OHJELMATIEDOSTOT\WINAMP3\WINAMPA.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
    C:\OHJELMATIEDOSTOT\YHTEISET TIEDOSTOT\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\ESM2\STMS.EXE
    C:\OHJELMATIEDOSTOT\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
    C:\OHJELMATIEDOSTOT\OPENOFFICE.ORG1.0\PROGRAM\SOFFICE.EXE
    C:\WINDOWS\SYSTEM\SYSTEMP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\OHJELM~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\OHJELM~1\YHTEIS~1\REAL\TOOLBAR\REALBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\ohjelmatiedostot\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CHIPSStart] CHPSTART.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Ohjelmatiedostot\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\OHJELM~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Ohjelmatiedostot\Yhteiset tiedostot\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent95ExePath] C:\ESM2\SAgent95.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wupdmgr.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
    O4 - Startup: OpenOffice.org 1.0.lnk = C:\Ohjelmatiedostot\OpenOffice.org1.0\program\quickstart.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Ohjelmatiedostot\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\OHJELMATIEDOSTOT\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38027.9046064815
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/fi/win/QuickTimeFullInstaller.exe
     
    Heidi, May 30, 2004
    #4
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Heidi,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wupdmgr.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess

    Then reboot and delete:

    C:\WINDOWS\System\wupdmgr.exe <= http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.X&VSect=T
    p2esocks_1014.dll

    Regards,

    Pieter
     
    Pieter_Arntz, May 31, 2004
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...