HijackThis-Log - Problem with CoolWWWSearch.CameUp

Hi there,

this is my first visit here and already I am asking for your help.

It all started yesterday without any particular reason. My Startpage was altered to www.searchmeup.com/search.php?aid=1057. At first I was unable to change the settings since the option was blocked in IE. Before coming here I tried everything I knew, such as virusscans, spyware removers, hijack removers, registry scans, etc. I even tried to alter the registry myself, but everything I changed was gone after I restarted the computer or opened IE.

I have followed the steps described in this forum. I used AdAware and then HijackThis as advised (all with the latest versions). This is the log I received:

Logfile of HijackThis v1.97.7
Scan saved at 11:12:04, on 22.04.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
F:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 192.2.8.1 pc01
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Info Frog (HKLM)
O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Web Inspector (HKLM)
O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
O9 - Extra button: Ausfüllen (HKLM)
O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
O9 - Extra button: Speichern (HKLM)
O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
O9 - Extra button: PicGrab (HKCU)
O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
O9 - Extra button: LinkDesktop (HKCU)
O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2

I hope you can help me although parts of the log are in German.

Thanks in advance,

Maurice

 

Hello

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe and run the Program. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log.

Also, Hijackthis makes backups when it fixes items. You may want to create a folder to put Hijackthis into or there may be backup files scattered across you F drive or partition.

Click My Computer, then F:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have F:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

 

Hi Nick,

thanks for your fast reply.

Regarding the F: disc that is OK. I only use it for testing. So there is practically nothing on it. But thanks anyhow.

I installed and ran the CWShredder yet it didn't do much. It only restored 9 infected internet explorer pages.

Well here is the new logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:59:55, on 22.04.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
F:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 192.2.8.1 pc01
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Info Frog (HKLM)
O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Web Inspector (HKLM)
O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
O9 - Extra button: Ausfüllen (HKLM)
O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
O9 - Extra button: Speichern (HKLM)
O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
O9 - Extra button: PicGrab (HKCU)
O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
O9 - Extra button: LinkDesktop (HKCU)
O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2

Thanks once more,

Maurice

 

Hi dlb51,

I sent you a PM with my emailaddress.
Could you please mail me a copie of:
C:\WINDOWS\wininet32.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAMME\SPYHUNTER\SPYHUNTER.exe

O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

Then reboot and read:
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html for additional removal instructions.

Be carefull with SpyHunter. It is known for its many false positives.

Regards,

Pieter

 

Hi Pieter,

I installed SpyHunter today as a last call for help.

I will uninstall it right away.

The thing Nich suggested worked partially. As soon as I try to open any of the following pages, CWS is back and my start page is changed again:

www.hotmail.com
www.google.com
www.google.de
www.vivisimo.com

At least these I tried. Some other pages it opened but with some difficulties. I mean I needed to open the pages twice to get them on my screen. But after that they work without any problems.

I will email you the requested file and run HijackThis as indicated by you.

Thanks,

Maurice

 

And another new log:

Logfile of HijackThis v1.97.7
Scan saved at 12:31:34, on 22.04.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAMME\REGISTRY CLEAN EXPERT\RCSCHEDULER.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAMME\INTERNETSHARE\ALL_ABOARD\STSWIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
F:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 192.2.8.1 pc01
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMME\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMME\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Programme\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: All_Aboard Status.lnk = C:\Programme\InterNetShare\All_Aboard\stswin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Ausfüllen &] - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Formulare speichern &[ - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Info Frog (HKLM)
O9 - Extra 'Tools' menuitem: Info Frog (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Web Inspector (HKLM)
O9 - Extra 'Tools' menuitem: Web Inspector (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Symbolleiste &2 (HKLM)
O9 - Extra button: Ausfüllen (HKLM)
O9 - Extra 'Tools' menuitem: Ausfüllen &] (HKLM)
O9 - Extra button: Speichern (HKLM)
O9 - Extra 'Tools' menuitem: Formulare speichern &[ (HKLM)
O9 - Extra button: PicGrab (HKCU)
O9 - Extra 'Tools' menuitem: &PicGrab starten (HKCU)
O9 - Extra button: LinkDesktop (HKCU)
O9 - Extra 'Tools' menuitem: &LinkDesktop starten (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.9974305556
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://www.clubphoto.com/_img/uploader/atl_uploader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.2.8.5,192.2.8.100,192.2.8.2


Pieter I haven't received your Email yet. Please check the address again:
dlb51(=>)gmx.de

Replace the "(=>)" by "@".

You might be on the right track regarding the "wininet32.exe" file. It is dated 21.04.04, the day my troubled started!

Thanks,

Maurice

 

Hi Maurice,

Your log is clean now. Check your Private Messages. The link is at the top right corner of this site.

Regards,

Pieter

 

Hi Pieter,

ah, OK that is where I was to look. As I said I am new to this.
The file will be emailed in a second.

Thanks for the help. I will check the other computer to see whether there are still problems.

Best regards,

Maurice

 

I would like to say thank you to all of you. With the help of Pieter and dvk01 I managed to get my computer clean and running again! I will use the programms AdAware and HijackThis along with my virusscanner more frequently now.

Thank you very much and have a nice day,

Maurice

 

Great job all. I'm glad not all the new variants are equally hard to cure.

Regards,

Pieter