Random "Favorites" additions

Discussion in 'adware, spyware & hijack cleaning' started by mealticket, Feb 16, 2004.

Thread Status:
Not open for further replies.
  1. mealticket

    mealticket Guest

    My problem began several weeks ago when I lost the ability to use Internet Explorer due to a problem associtiated with a file called accompat.txt. Once that problem was fixed (I don't remember what free download I used), I began having problems with pornography invading my browser, then MSN Explorer, which I used while troubleshooting IE. I have scanned my computer using Spy Sweeper, SpyBot, and HiJack This! Each time, several files are listed. I had initially tried to delete anything that looked like an internet address, but my problems persist. My computer's function has been restored to good working order, but the remnant of those renegade "Favorites" is still there. It makes it look like I surf the 'net for porn! :mad:
    I have cable internet, which is obviously connected all of the time. And this is about when my problems began... I had been on dial-up prior to this problem. I doubt that that has anything to do with it, but it is another piece of the puzzle.
    Any help that you can give me to make this demon be gone will be greatly appreciated. Thanks in advance!!!
    The following is what was found by HijackThis:
    Logfile of HijackThis v1.97.7
    Scan saved at 4:06:51 PM, on 2/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
    C:\WINDOWS\system32\pctspk.exe
    C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
    C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\windows\redirect5.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [orouw2fd2x] C:\WINDOWS\z2n4t5a8i1.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O19 - User stylesheet: C:\WINDOWS\sample.txt
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mealticket,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freshvideogals.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html

    O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta

    O4 - HKCU\..\Run: [orouw2fd2x] C:\WINDOWS\z2n4t5a8i1.exe

    O19 - User stylesheet: C:\WINDOWS\sample.txt

    Then download, unzip and run:
    CWShredder

    Then reboot and delete:
    C:\WINDOWS\z2n4t5a8i1.exe
    C:\WINDOWS\sample.txt
    if they survived.

    Regards,

    Pieter
     
  3. Mealticket

    Mealticket Guest

    Thank you very much for your help, Pieter. My problem seems to have been eradicated :D
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
Thread Status:
Not open for further replies.