Hijack help

Discussion in 'adware, spyware & hijack cleaning' started by Uppy, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Uppy

    Uppy Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    7
    i recently had a very bad attack on my computer which generated some disturbing sites when i typed in an URL in IE, while i managed to fix that with hijackthis, spybot and my Antivirus, i can no longer store cookies and no files are ever stores in my address bar, can someone tell me why and what i can do to fix it?
    Kind regards, Uppy.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    go to https://www.wilderssecurity.com/showthread.php?t=12516 and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Uppy

    Uppy Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    7
    ok heres the hijack log:
    Logfile of HijackThis v1.97.7
    Scan saved at 16:58:51, on 29/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\McAfee\QuickClean\Plguni.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\AIM95\aim.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Documents and Settings\Mark Upcraft\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ntlworld.com/
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O1 - Hosts: 213.159.118.226 collections.inhost2.info
    O1 - Hosts: 213.159.118.226 58q.com
    O1 - Hosts: 213.159.118.226 aifind.cc
    O1 - Hosts: 213.159.118.226 1-se.com
    O1 - Hosts: 213.159.118.226 aifind.info
    O1 - Hosts: 213.159.118.226 collections.inhost.info
    O1 - Hosts: 213.159.118.226 www.boredlife.com
    O1 - Hosts: 213.159.118.226 ie-search.com
    O1 - Hosts: 213.159.118.226 search.ieplugin.com
    O1 - Hosts: 213.159.118.226 www.hugesearch.net
    O1 - Hosts: 213.159.118.226 www.lookfor.cc
    O1 - Hosts: 213.159.118.226 www.naver.com
    O1 - Hosts: 213.159.118.226 www.search-space.com
    O1 - Hosts: 213.159.118.226 www.seznam.cz
    O1 - Hosts: 81.211.105.49 www.cashsearch.biz
    O1 - Hosts: 213.159.118.226 www.wazzupnet.com
    O1 - Hosts: 213.159.118.226 www.find4u.net
    O1 - Hosts: 81.211.105.49 www.greatsearch.biz
    O1 - Hosts: 213.159.118.226 cracks.am
    O1 - Hosts: 213.159.118.226 www.ttjj.com
    O1 - Hosts: 213.159.118.226 www.onet.pl
    O1 - Hosts: 81.211.105.49 cashsearch.biz
    O1 - Hosts: 213.159.118.226 www.gajai.com
    O1 - Hosts: 213.159.118.226 approvedlinks.com
    O1 - Hosts: 213.159.118.226 www.2fastsearch.net
    O1 - Hosts: 213.159.118.226 t.rack.cc
    O1 - Hosts: 213.159.118.226 www.websearch.com
    O1 - Hosts: 213.159.118.226 awebfind.biz
    O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.226 www.ohcorea.com
    O1 - Hosts: 213.159.118.226 searchmyrequest.com
    O1 - Hosts: 213.159.118.226 www.nkvd.us
    O1 - Hosts: 213.159.118.226 www.alfa-search.com
    O1 - Hosts: 213.159.118.226 allneedsearch.com
    O1 - Hosts: 213.159.118.226 www.therealsearch.com
    O1 - Hosts: 213.159.118.226 www.daum.net
    O1 - Hosts: 213.159.118.226 www.search-1.net
    O1 - Hosts: 213.159.118.226 www.firstbookmark.com
    O1 - Hosts: 213.159.118.226 www.iquicksearch.com
    O1 - Hosts: 213.159.118.226 www.hao123.com
    O1 - Hosts: 213.159.118.226 www.spidersearch.com
    O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.226 search.psn.cn
    O1 - Hosts: 213.159.118.226 www.searchv.com
    O1 - Hosts: 213.159.118.226 in.webcounter.cc
    O1 - Hosts: 213.159.118.226 www.dreamwiz.com
    O1 - Hosts: 213.159.118.226 www.rightfinder.net
    O1 - Hosts: 213.159.118.226 www.searching-the-net.com
    O1 - Hosts: 213.159.118.226 www.searchxl.com
    O1 - Hosts: 213.159.118.226 www.8095.com
    O1 - Hosts: 213.159.118.226 www.slotch.com
    O1 - Hosts: 213.159.118.226 www.searchforge.com
    O1 - Hosts: 213.159.118.226 www.find-itnow.com
    O1 - Hosts: 213.159.118.226 itseasy.us
    O1 - Hosts: 213.159.118.226 www.windowws.cc
    O1 - Hosts: 213.159.118.226 webcoolsearch.com
    O1 - Hosts: 213.159.118.226 www.startium.com
    O1 - Hosts: 213.159.118.226 default-homepage-network.com
    O1 - Hosts: 213.159.118.226 www.power-search.info
    O1 - Hosts: 213.159.118.226 www.search-and-go.com
    O1 - Hosts: 213.159.118.226 find4u.net
    O1 - Hosts: 213.159.118.226 best.royalsearch.net
    O1 - Hosts: 213.159.118.226 www.xgmm.com
    O1 - Hosts: 213.159.118.226 qwertysearch123.biz
    O1 - Hosts: 213.159.118.226 searchcentrix.com
    O1 - Hosts: 213.159.118.226 just.find-itnow.com
    O1 - Hosts: 213.159.118.226 www.omega-search.com
    O1 - Hosts: 213.159.118.226 www.find-itnow.com
    O1 - Hosts: 213.159.118.226 i-lookup.com
    O1 - Hosts: 213.159.118.226 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.226 mysearchnow.com
    O1 - Hosts: 213.159.118.226 yourbookmarks.ws
    O1 - Hosts: 213.159.118.226 www.cracks.am
    O1 - Hosts: 213.159.118.226 www.search-dot.com
    O1 - Hosts: 213.159.118.226 www.008i.com
    O1 - Hosts: 213.159.118.226 wmmse.com
    O1 - Hosts: 213.159.118.226 www.hand-book.com
    O1 - Hosts: 81.211.105.49 greatsearch.biz
    O1 - Hosts: 213.159.118.226 link.startmake.com
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: PCSuiteForNokiaN-Gage Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokiaN-Gage TS.lnk = ?
    O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\5253.exe
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09c104c6b656a41c8d17/netzip/RdxIE601.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...com/opistat/activex/opinstall_en_4.1.0.18.cab
    O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.megadownloads.info/SysWebTelecom.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


    thanks for any help.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    you have several hijackers and multiple infections here and we will need to deal with them in stages

    first
    Please download this to fix the start.chm hijack.

    http://tools.zerosrealm.com/startchmfix.exe

    Download it. Run it and extract the folder to the desktop preferably.

    Open the folder after extracted.

    Double click the fix.bat

    Please make sure all Internet Explorers are closed.

    Only run it once or you will lose the backups although they shouldn't be needed.

    Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.

    and do this
    first download http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.zip unzip it and then click on search for hosts
    when any hosts file is found, it will be listed in the bottom window, click on it and press the reset default button.
    that will replace any bad entries with the standard windows entries
    NOTE: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

    then post a new hijackthis log so we can see the progress
     
  5. Uppy

    Uppy Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    7
    ok here:
    please post the following into the post. The above does not need to be! Thanks!



    The bad files found are:


    and the host file reader keeps crashing "Not responding"
    >.<
     
  6. Uppy

    Uppy Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    7
    sorry about double posting i have the problem with host files reader and heres the new hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:04:48, on 29/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\McAfee\QuickClean\Plguni.exe
    C:\Program Files\AIM95\aim.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mark Upcraft\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freednshost.info/page/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ntlworld.com/
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (file missing)
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Global Startup: PCSuiteForNokiaN-Gage Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokiaN-Gage TS.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\5253.exe
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.mindleaders.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09c104c6b656a41c8d17/netzip/RdxIE601.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...com/opistat/activex/opinstall_en_4.1.0.18.cab
    O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.megadownloads.info/SysWebTelecom.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    thanks again for any help
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Uppy,

    Please download this to fix the start.chm hijack.

    http://tools.zerosrealm.com/startchmfix.exe

    Download it. Run it and extract the folder to the desktop preferably.

    Open the folder after extracted.

    Double click the fix.bat

    Please make sure all Internet Explorers are closed.

    Only run it once or you will lose the backups although they shouldn't be needed.

    Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int139749.exe -auto

    O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\5253.exe

    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09c104c...ip/RdxIE601.cab

    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab

    O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.megadownloads.info/SysWebTelecom.cab

    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download...ller/dwnldr.cab

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab

    Then reboot and delete:
    C:\Program Files\websx <= entire folder

    Please read: https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.