Help with Hijackthis

Discussion in 'adware, spyware & hijack cleaning' started by cjransom, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. cjransom

    cjransom Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    I am having issue with performance with my browser. My homepage is constantly changing to various search engines as well as an excessive amount of pop-ups.

    -I have run Ad-aware and deleted the indicated files.
    -I have run HijackThis and have attached the log file.


    ***Thank you in advance.

    cjransom
     

    Attached Files:

  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Run HijackThis and tick the following items
    Close all browser windows BEFORE choosing Fix Selected
    Then reboot, and post a new log



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {92CBA277-292B-461f-9DEA-67A5C834E101} - C:\WINDOWS\System32\LinkMgr.dll

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll


    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

    O4 - HKLM\..\Run: [WorkFlo(1)] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe /dcheck
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [yzwj] C:\WINDOWS\yzwj.exe
    O4 - HKLM\..\Run: [GNETD] C:\WINDOWS\System32\GNETD.exe
    O4 - HKLM\..\Run: [ODEMUIM] C:\WINDOWS\System32\ODEMUIM.exe
    O4 - HKLM\..\Run: [_28598C] C:\WINDOWS\System32\_28598C.exe

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
    O4 - HKCU\..\Run: [traffic] C:\WINDOWS\System32\traffic.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab

    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_50038/QDow.cab

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=200342613

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please send these files to submit@diamondcs.com.au , zip them all up into 1 zip if you dont mind. I'll let you know if they are all safe to delete, they should be

    C:\WINDOWS\System32\toolbar.dll
    C:\WINDOWS\twaintec.dll
    C:\WINDOWS\systb.dll
    C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    C:\WINDOWS\System32\toolbar.dll
    C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
    C:\Program Files\MediaLoads Enhanced\ME2.DLL
    C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    C:\WINDOWS\wsem218.dll
    C:\WINDOWS\System32\LinkMgr.dll
    C:\PROGRA~1\INTELL~1\ISengine.dll
    C:\WINDOWS\nem218.dll
    C:\PROGRA~1\INTELL~1\INTELL~1.DLL
    C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    C:\Program Files\DownloadWare\dw.exe
    C:\Program Files\DelFin\PromulGate\PgMonitr.exe
    E:\BrdJmp\WorkFlow.exe
    C:\WINDOWS\wt\updater\wcmdmgrl.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Program Files\msnet\v9\msnet.EXE
    C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe
    C:\WINDOWS\alchem.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\wupdt.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    c:\program files\180solutions\msbb.exe
    C:\Program Files\Power Scan\powerscan.exe
    C:\WINDOWS\yzwj.exe
    C:\WINDOWS\System32\GNETD.exe
    C:\WINDOWS\System32\ODEMUIM.exe
    C:\WINDOWS\System32\_28598C.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Documents and Settings\Christopher Ransom\Application Data\ttuh.exe
    C:\WINDOWS\System32\wintsvit.exe
    C:\WINDOWS\System32\traffic.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\install.cab
     
  4. cjransom

    cjransom Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    Thanks for the help- Here is the new log- I will send the requested files to the email you supplied.
     

    Attached Files:

  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi cjransom,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"

    O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [sikbdM] C:\WINDOWS\System32\sikbdM.exe
    O4 - HKLM\..\Run: [fc42m] C:\WINDOWS\System32\fc42m.exe

    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q

    O4 - Startup: PowerReg Scheduler.exe

    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

    Then reboot into safe mode and delete:
    C:\Program Files\ClockSync <= entire folder
    C:\Program Files\winex <= entire folder
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\WINDOWS\sysupd.exe
    C:\Program Files\ISTsvc <= entire folder
    C:\Program Files\Common files\WinTools <= entire folder
    C:\WINDOWS\System32\sikbdM.exe
    C:\WINDOWS\System32\fc42m.exe

    Then use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.