help

Discussion in 'adware, spyware & hijack cleaning' started by jake123, Jan 4, 2004.

Thread Status:
Not open for further replies.
  1. jake123

    jake123 Guest

    please can u help me out guys.
    You help me out a while back and need your help again :'(
    pC is going mad with pop ups and other stuff at the minute
    heres my log.

    cheersLogfile of HijackThis v1.97.7
    Scan saved at 23:30:29, on 04/01/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SA3DSRV.EXE
    C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\INTERNET\CISRVR.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\SYSTEM\CIJ3P2PS.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\PRIMAX\POWERTWAIN\PMXDETECT.EXE
    C:\WINDOWS\SYSTEM\LAUNCHER.EXE
    C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#22776
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0809&s=search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#22776
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=22776
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&s=search&query=%s&i=enu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
    O1 - Hosts: 1089288654 auto.search.msn.com
    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
    O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
    O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [CIJ3P2PSERVER] CIJ3P2PS.EXE
    O4 - HKLM\..\Run: [Scan Detector] C:\PROGRA~1\PRIMAX\POWERT~1\Pmxdetect.exe
    O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\SYSTEM\Launcher.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
    O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
    O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\APPLICATION DATA\IEFEATSL\submit.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol014.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\supercd\IntraLaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi jake123 :)

    Please download and run CWshredder at this link

    http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then follow the instuctions here,

    http://www.wilderssecurity.com/showthread.php?t=15913




    snowbound
     
Thread Status:
Not open for further replies.