hijackThis.log Please Help !

Discussion in 'adware, spyware & hijack cleaning' started by kamran4149, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Hi everybody.

    I had spyware Nucker on my system to get rid of the spywares and adwares. I ran it but I still have problems with my Internet Explorer. Whenever I open a new window it says: "detected Spyware! System Error # 384." Also, in the address bar I have this message: "C:\WINDOWS\secure.html."


    I downloaded and ran hijachThis as the last chance to fix my system problems. Here is the Log file:

    Please help me what I need to do now?

    Thank you.
    Kamran
    California , USA


    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:10 AM, on 4/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\vhpekkph.exe
    C:\windows\msbb.exe
    C:\PROGRA~1\ThisBase\window 2 ooze.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\reg33.exe
    C:\Program Files\Date Manager\DateManager.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\PrecisionTime\PrecisionTime.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nativehardcore.com/main/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll
    O2 - BHO: (no name) - {30EC79AB-6A00-348D-7B9C-4943C2B28E27} - C:\PROGRA~1\GRIDSA~1\traypart.dll
    O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winlink\winlink.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [klrivuin] C:\WINDOWS\vhpekkph.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [DKRYFP] C:\WINDOWS\DKRYFP.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [SafeSurfingEXE] C:\Program Files\SafeSurfing\SafeSurfing.exe
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\royxdhnz.exe
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [iedll] C:\Program Files\Windows Media Player\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - Startup: Common Programs.lnk = ?
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\2.txt
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: winlogon.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {8FABFC3E-691B-FD4F-2FDC-BBBF3F5AAACA} (DownloadUL Class) - http://public.searchbarcash.com/cab/032/zlsjrvdi.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    First download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then reboot &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R288 12.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  3. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    I did everything you said and it looks a lot better. At least I got rid of that annoying message. Thank you for your help dvk01. I ran hijackThis again and here is the log:

    Please tell me if I need to do furthur action.


    Logfile of HijackThis v1.97.7
    Scan saved at 4:24:02 PM, on 4/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ThisBase\window 2 ooze.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\svchost.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {30EC79AB-6A00-348D-7B9C-4943C2B28E27} - C:\PROGRA~1\GRIDSA~1\1axis.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O3 - Toolbar: ProxyHopeKnob - {AAC7F640-926D-63C8-4F04-6CCF41CC7CA4} - C:\PROGRA~1\GRIDSA~1\1axis.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [klrivuin] C:\WINDOWS\vhpekkph.exe
    O4 - HKLM\..\Run: [DKRYFP] C:\WINDOWS\DKRYFP.exe
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi kamran4149,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode, and zip the following file and e-mail it to Pieter at the address in his profile. Please include a link to this thread.

    C:\PROGRA~1\GRIDSA~1\1axis.dll

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

    O2 - BHO: (no name) - {30EC79AB-6A00-348D-7B9C-4943C2B28E27} - C:\PROGRA~1\GRIDSA~1\1axis.dll <-- Remove ONLY if you do not know what it is.

    O3 - Toolbar: ProxyHopeKnob - {AAC7F640-926D-63C8-4F04-6CCF41CC7CA4} - C:\PROGRA~1\GRIDSA~1\1axis.dll <-- Remove ONLY if you do not know what it is.

    O4 - HKLM\..\Run: [klrivuin] C:\WINDOWS\vhpekkph.exe
    O4 - HKLM\..\Run: [DKRYFP] C:\WINDOWS\DKRYFP.exe
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

    Now delete the following:

    C:\WINDOWS\secure.html
    C:\WINDOWS\vhpekkph.exe
    C:\WINDOWS\DKRYFP.exe
    C:\PROGRA~1\ThisBase\window 2 ooze.exe
    c:\WINDOWS\System32\zzb.exe
    C:\WINDOWS\svchost.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  5. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Thank you kent for your advice. Here is the new hijackThis log. Please tell me if I need to do furthur action, or if my log looks clean. At this time everything with my internet explorer looks good. No redirection, no pop ups, so far so good. Tell me your opinion about the log.


    Logfile of HijackThis v1.97.7
    Scan saved at 9:19:26 PM, on 4/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\PROGRA~1\ThisBase\window 2 ooze.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 8 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    a couple more to fix
    the file that Kent asked you to send is a LOP hijacker

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\svchost.exe <<<< NOTE BE CAREFUL & ONLY DELETE THIS ONE NOT ANY SVCHOST IN SYSTEM32>>>>>>>>>


    and Delete these folders
    C:\PROGRAM FILES\ThisBase\
    C:\PROGRAM FILES \GRIDSA~1\


    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R289 13.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    and please rerun cwshredder, but make sure it is the latest update which at the moment is 1.56.2 to make sure the cws hijack has completely gone (hopefully)

    then post a new hijackthis log to check what is left
     
  7. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Here is the new log. By the way, how can I zip the file (LOP hijacker) that Kent asked? Please tell me the procedure again for that file since I couldn't understand what kent said at the first time.

    Also one more thing, when I open the internet explorer this morning again this address was on my default address : http://69.50.191.51/hp.php

    The new log is:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:10:36 AM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 9 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Don't wory about sending the files

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    O4 - HKLM\..\Run: [Mp3Okay] C:\PROGRA~1\ThisBase\window 2 ooze.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    and Delete these folders

    C:\PROGRAM FILES\ThisBase
    C:\PROGRAM FILES \GRIDSA~1\>>>> I don't know the full name of this folder but it is the one that starts with grids & will have various other letters or numbers after it


    then
    Reboot normally & post a new log
     
  9. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Here is the new log. Is it clean or still infected? The problem with that autosearch 69.50.191.51 redirection went away after I fixed them from hijackThis log. Thank you dvk01.


    New log:


    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:40 AM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 13 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  10. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Hey I don't know why, but when I restart the computer, again those logs (69.50.191.51) are in the log file and again the explorer redirects me. I cannot delete them !! Is there any way that I can permanently get rid of them. Before I reboot everything is fine. but after reboot again they appear. also this svchost.exe I cannot delete it. After I reboot, again it is there !!!
    I'm getting crazy.


    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:35 AM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\svchost.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 13 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    before we go any further you must put hijackthis into it's own folder
    not a temporary folder. so any backups it makes are available.
    Now
    you have been re infected by this again
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe

    I think it must be one of the worms that use the rpc exploit in unpatched versions of windows most probably one of the Agobot worms/viruses

    you need to do several things
    Now I don't see any running antivirus, that is a bit like standing in downtown Baghdad stark naked with a bulls eye on your chest waving an American Flag. Definitely not recommended

    Download and install & run an antivirus immediately

    lists here
    http://www.wilders.org/anti_viruses.htm

    one free one that many users of this forum use successfully is
    AVG from http://www.grisoft.com/us/us_dwnl_free.php
    and run a full system scan
    and install a firewall
    http://www.wilders.org/firewalls.htm

    it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    once all that is done post a new log and we can try and clean up anything still left
     
  12. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Yesterday, I installed AVG antivirus and ran it on my system. It found 34 Viruses !! After I cleaned the system from the viruses, I rebooted the system and installed the Zoomalert firewall (freeware) on my system. Again reboot; then I updated my windows XP and then rebooted. After that I ran CWShredder again, restart, ran Spybot, reboot, ran Adaware, and reboot. Each program found and removed some files.

    Then I ran hijackThis and fixed those files that we talked about (autosearch and related stuff plus

    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe

    then I restart in the safe mode and delete this file:C:\WINDOWS\svchost.exe

    then I restart in the normal mood. Everything looked fine yesterday. I waited for one day to see if anything changes again before I post a new log. Nothing has changed since yesterday and my system works fine so far. Here is the new log that I just created by hijackThis:

    Oh before looking at the log my only concern at the moment is that once in a while a message will pop up on the screen alerting me about a virus. Here is the message:
    **
    Trojan horse Downloader. stubby. A

    C:\System Volume Information\_restore{EE37CDD4-EDA1-498B ........ .exe

    To remove this virus , please run AVG for windows.

    **

    But when I manually run the AVG it cannot find any virus on the system. Does the "AVG for windows" that the message tells me to run different than the AVG whose link is in the previous message by vdk01 ?



    Here is the jog by hijackThis:


    Logfile of HijackThis v1.97.7
    Scan saved at 8:20:52 AM, on 4/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Documents and Settings\Owner\Desktop\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that file is in the system restore folder where NO antivirus can fix it so please do this:

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 for Xp

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.
    then run a full av sacn and I'm positive all signs of the infection will have gone
     
  14. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Thank you dvk01 for your valuable help. I did all you suggested for system restore and it worked. All signs of virus infection are gone. Currently I have no problem with my system. I also installed SpywareBlaster and IE-SPAD for more security. But, sometimes (not at the moment), I get re-infected by these. I just wanted to make sure if this is normal or I have to do something about it.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.51/hp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.51/hp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.51/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://autosearch.cc/search.php?qq=

    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe

    Is it because my computer is not secure enough? I also have Zoomalert Firewall and AVG antivirus running on my system.

    Please check this hjt log to see if it helps (This is the one I just printed out a couple of min ago):


    Logfile of HijackThis v1.97.7
    Scan saved at 9:15:02 AM, on 4/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\Internet cool Downloads\Yahoo!\Messenger\ymsgr_tray.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programs\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] D:\Internet cool Downloads\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Common Programs.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Programs\Microsoft Office\Office\1033\OLFSNT40.EXE
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37916.4089467593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CD9549-0C9A-476B-BFF8-5E3CF04F67A1}: NameServer = 151.164.1.8,151.164.1.7
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    these hijackers thatb keep coming back are a new one that is prob=ving very difficult to completely cure at the moment. Several experts are working on a simple cure but it is proving difficult

    please do this so we can check something

    Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
    Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
    Notepad will open with a log in it

    copy & paste that log back here please
     
  16. anonymous

    anonymous Guest

    Hi guys,
     
  17. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    Thank you dvk01 for all your support. I got my answer about this annoying log that keeps comming back. I guess I just have to deal with it until somebody find a cure for them. About that zip file, I downloaded it, but for some reason my notepad doesn't work. Something wrong with it I guess. When I run the runme.bat, it doesn't open the notepad. Nothing happens. Anyway, I got my answer and I really appreciate your help with the spywares, adwares, and viruses problems on my system. It works 100 % better than when I posted the first log.

    Thank you.
    Kamran
     
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    they have changed the runme.bat now and I am used to the older version taht did it automatically

    sorry

    double click on the runme.bat and select option 2 (internet explorer dll)and press return that will make a text file in notepad for you then copy & paste that info in a reply please
     
  19. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    I ran runme.BAT and selected option 2 (Internet Explorer's DLLs). It did open Notepad, but there was nothing written inside the notepad. It was empty ! Is it normal? Or there is something wrong with my internet explorer?

    Thank you,
    Kamran
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    did you have internet explorer open when you ran it

    you need to have it open
     
  21. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    yes, it is open. I did it one more time with the open IE, but still it shows me a notepad with nothing written inside. Is there anything wrong with my IE?
     
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There is something wrong somewhere

    I am going to asl someone else to have a look and see what they think
     
  23. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    thank you.


     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Could you download far explorer from here:

    http://www.rarlab.com/far/Far1705.exe

    Install it.

    Load up far and go to the right pane of FAR and double click iexplore.exe.txt
    A files should open in notepad.
    Please post the contents here.

    Regards,

    Pieter
     
  25. kamran4149

    kamran4149 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    18
    when I load up FAR, the directory that it shows is C:\Program Files\FAR. I cannot find iexplore.exe.txt in that directory. How can I use search to find that file, or in which directory should I look for iexplore.exe.txt?

    thank you.
    Kamran
     
Thread Status:
Not open for further replies.