Help with Hijackthis

I am having issue with performance with my browser. My homepage is constantly changing to various search engines as well as an excessive amount of pop-ups.

-I have run Ad-aware and deleted the indicated files.
-I have run HijackThis and have attached the log file.


***Thank you in advance.

cjransom

 

Hi,

Run HijackThis and tick the following items
Close all browser windows BEFORE choosing Fix Selected
Then reboot, and post a new log



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {92CBA277-292B-461f-9DEA-67A5C834E101} - C:\WINDOWS\System32\LinkMgr.dll

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll


O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

O4 - HKLM\..\Run: [WorkFlo(1)] E:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [yzwj] C:\WINDOWS\yzwj.exe
O4 - HKLM\..\Run: [GNETD] C:\WINDOWS\System32\GNETD.exe
O4 - HKLM\..\Run: [ODEMUIM] C:\WINDOWS\System32\ODEMUIM.exe
O4 - HKLM\..\Run: [_28598C] C:\WINDOWS\System32\_28598C.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
O4 - HKCU\..\Run: [traffic] C:\WINDOWS\System32\traffic.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_50038/QDow.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=200342613

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Please send these files to submit@diamondcs.com.au , zip them all up into 1 zip if you dont mind. I'll let you know if they are all safe to delete, they should be

C:\WINDOWS\System32\toolbar.dll
C:\WINDOWS\twaintec.dll
C:\WINDOWS\systb.dll
C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
C:\WINDOWS\System32\toolbar.dll
C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
C:\Program Files\MediaLoads Enhanced\ME2.DLL
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
C:\WINDOWS\wsem218.dll
C:\WINDOWS\System32\LinkMgr.dll
C:\PROGRA~1\INTELL~1\ISengine.dll
C:\WINDOWS\nem218.dll
C:\PROGRA~1\INTELL~1\INTELL~1.DLL
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
E:\BrdJmp\WorkFlow.exe
C:\WINDOWS\wt\updater\wcmdmgrl.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\msnet\v9\msnet.EXE
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe
C:\WINDOWS\alchem.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\program files\180solutions\msbb.exe
C:\Program Files\Power Scan\powerscan.exe
C:\WINDOWS\yzwj.exe
C:\WINDOWS\System32\GNETD.exe
C:\WINDOWS\System32\ODEMUIM.exe
C:\WINDOWS\System32\_28598C.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
C:\WINDOWS\System32\wintsvit.exe
C:\WINDOWS\System32\traffic.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\install.cab

 

Thanks for the help- Here is the new log- I will send the requested files to the email you supplied.

 

Hi cjransom,

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"

O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [sikbdM] C:\WINDOWS\System32\sikbdM.exe
O4 - HKLM\..\Run: [fc42m] C:\WINDOWS\System32\fc42m.exe

O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

Then reboot into safe mode and delete:
C:\Program Files\ClockSync <= entire folder
C:\Program Files\winex <= entire folder
C:\Program Files\Common Files\CMEII <= entire folder
C:\WINDOWS\sysupd.exe
C:\Program Files\ISTsvc <= entire folder
C:\Program Files\Common files\WinTools <= entire folder
C:\WINDOWS\System32\sikbdM.exe
C:\WINDOWS\System32\fc42m.exe

Then use AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913

Post a new log when you are done, so we can see if everything worked out as planned.

Regards,

Pieter