Help with Hijackthis

Discussion in 'adware, spyware & hijack cleaning' started by cjransom, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. cjransom

    cjransom Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    I am having issue with performance with my browser. My homepage is constantly changing to various search engines as well as an excessive amount of pop-ups.

    -I have run Ad-aware and deleted the indicated files.
    -I have run HijackThis and have attached the log file.


    ***Thank you in advance.

    cjransom
     

    Attached Files:

  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Run HijackThis and tick the following items
    Close all browser windows BEFORE choosing Fix Selected
    Then reboot, and post a new log



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {92CBA277-292B-461f-9DEA-67A5C834E101} - C:\WINDOWS\System32\LinkMgr.dll

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll


    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

    O4 - HKLM\..\Run: [WorkFlo(1)] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe /dcheck
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [yzwj] C:\WINDOWS\yzwj.exe
    O4 - HKLM\..\Run: [GNETD] C:\WINDOWS\System32\GNETD.exe
    O4 - HKLM\..\Run: [ODEMUIM] C:\WINDOWS\System32\ODEMUIM.exe
    O4 - HKLM\..\Run: [_28598C] C:\WINDOWS\System32\_28598C.exe

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
    O4 - HKCU\..\Run: [traffic] C:\WINDOWS\System32\traffic.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab

    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_50038/QDow.cab

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=200342613

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please send these files to submit@diamondcs.com.au , zip them all up into 1 zip if you dont mind. I'll let you know if they are all safe to delete, they should be

    C:\WINDOWS\System32\toolbar.dll
    C:\WINDOWS\twaintec.dll
    C:\WINDOWS\systb.dll
    C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    C:\WINDOWS\System32\toolbar.dll
    C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
    C:\Program Files\MediaLoads Enhanced\ME2.DLL
    C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    C:\WINDOWS\wsem218.dll
    C:\WINDOWS\System32\LinkMgr.dll
    C:\PROGRA~1\INTELL~1\ISengine.dll
    C:\WINDOWS\nem218.dll
    C:\PROGRA~1\INTELL~1\INTELL~1.DLL
    C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    C:\Program Files\DownloadWare\dw.exe
    C:\Program Files\DelFin\PromulGate\PgMonitr.exe
    E:\BrdJmp\WorkFlow.exe
    C:\WINDOWS\wt\updater\wcmdmgrl.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Program Files\msnet\v9\msnet.EXE
    C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe
    C:\WINDOWS\alchem.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\wupdt.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    c:\program files\180solutions\msbb.exe
    C:\Program Files\Power Scan\powerscan.exe
    C:\WINDOWS\yzwj.exe
    C:\WINDOWS\System32\GNETD.exe
    C:\WINDOWS\System32\ODEMUIM.exe
    C:\WINDOWS\System32\_28598C.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
    C:\WINDOWS\System32\wintsvit.exe
    C:\WINDOWS\System32\traffic.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\install.cab
     
  4. cjransom

    cjransom Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    Thanks for the help- Here is the new log- I will send the requested files to the email you supplied.
     

    Attached Files:

  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi cjransom,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"

    O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [sikbdM] C:\WINDOWS\System32\sikbdM.exe
    O4 - HKLM\..\Run: [fc42m] C:\WINDOWS\System32\fc42m.exe

    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q

    O4 - Startup: PowerReg Scheduler.exe

    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

    Then reboot into safe mode and delete:
    C:\Program Files\ClockSync <= entire folder
    C:\Program Files\winex <= entire folder
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\WINDOWS\sysupd.exe
    C:\Program Files\ISTsvc <= entire folder
    C:\Program Files\Common files\WinTools <= entire folder
    C:\WINDOWS\System32\sikbdM.exe
    C:\WINDOWS\System32\fc42m.exe

    Then use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.