registry changes - spyware removal (merged)

Discussion in 'adware, spyware & hijack cleaning' started by Cheddar, May 31, 2004.

Thread Status:
Not open for further replies.
  1. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    registry changes

    Hi,
    I'm not exactly sure the problem of this but everytime i run a spyware blaster it keeps detecting same resgistry changes but they keep comming back. It changes things for my internet so i have to type in http:// to go anywhere. The value of the change is "http=" if that helps. Also my homepage is about:blank and thats the same but it has a site "Search for..". sorry this is kind of vague but if anyone has any possible fixes I will be greatful.

    Thanks
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  3. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    spyware removal help

    Hi,I keep getting popups saying I have spyware on my computer... Also my homepage is set to about:blank which it doesnt change but it come up as about:blank being a "search for.." website. I have to type http:// to go anywhereo n the web or it says cannot find site.. Everytime I run a spyware destroyer it finds stuff but always the same stuff comes back.. I ran spybot S&D and heres my log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
    O2 - BHO: (no name) - {3604374D-1E46-4C0F-AF67-7AD9CF39582B} - C:\WINDOWS\System32\opjm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .m1v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    Thanks in advance for the help
    Cheddar
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cheddar,

    I have merged your two posts together. Please do not start a new thread for the same problem, but stay in this current thread until your system is cleaned.

    We will also need the top portion of your hijackthis log where it indicates the scan time, your operating system, version of IE used, etc. Thank you.

    Regards,

    snap
     
  5. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    Hey, sorry this is my new log.. and if it helps for some reason ad-watch is working again before everytime it would detect a bad process and freeze but im still getting pop-ups and everything else is same... like i said before I used Spybot S&D.. So heres new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:50:31 PM, on 6/4/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
    O2 - BHO: (no name) - {3604374D-1E46-4C0F-AF67-7AD9CF39582B} - C:\WINDOWS\System32\opjm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .m1v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    Thanks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Cheddar,

    First off, update Windows and IE.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\opjm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
    O2 - BHO: (no name) - {3604374D-1E46-4C0F-AF67-7AD9CF39582B} - C:\WINDOWS\System32\opjm.dll

    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - (no file)

    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.


    Then reboot and download http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    Run start.bat and press option 1. 'output.txt' will be created in the folder

    Please post that report.

    Regards,

    Pieter
     
  7. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    Wow, thanks everything seems to be working normal now :).. Can I delete the stuff that the programs put in my recycling bin its like some websites, editpad.exe, mtwcnl.dll, mshelper.dll, mtwirl.dll, svchost.old, and some reg entries.. Also what about the backups that hijackthis put in my program files folder.. Then heres my output.txt log:

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sat 06/05/2004
    11:00 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "Brandon" (CC4E:9AFE) - FS:NTFS clusters:512
    Total: 30 014 013 952 [28G] - Free: 17 587 445 760 [16G]


    *IE version and Service packs:
    6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4477 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings



    Locked or 'Suspect' file(s) found...


    Scanning for main Hijacker:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    Thanks for all your help.. Later today if you will check this thread for my other computers log from hijackthis and tell me what to delete would be much appreciated but thanks again!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Your log is clean. The files you listed look like a nice start for a CWS collection.
    They are harmless in your bin. Leave them there for a week or so, so you are sure nothing you need is in there with the bad guys.

    Regards,

    Pieter
     
  9. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    Alright Thanks a lot Pieter... If you dont mind heres my other computer.. I took the liberty of running hijack this and cws shreddar I already deleted some of the things I knew where bad from hijackthis so it might look kind of clean.. Problems with this computer is kind of same except I have a bunch of crazy processes running like "inetinfo" and some others I dont remember but I end them everytime i start my computer but I sometimes have to end them 2 or 3 times a time I'm on.. They slow down my computer like crazy.. I think thats all the problems.. Also when I ran cwsshredder it said that a file "SAHUninstall" in c:\windows could be a bad file so I left it on there just incase it was good. Well heres my hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:31:08 PM, on 6/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\windows\system32\drivers\dcfssvc.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\windows\explorer.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\windows\umaxuapi.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
    O2 - BHO: (no name) - {c31da7e6-37de-42b2-93f4-726274978da9} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKCU\..\Run: [umaxuapi] C:\windows\umaxuapi.exe
    O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Broderbund\The Print Shop Photo Pro\Temp\MGI00000.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt501/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38093.7397916667
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab

    Thanks again
    I deleted 20 things from this computer already with hijackthis that had coolsearchpage in them if thats any help...
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Cheddar,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)

    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
    O2 - BHO: (no name) - {c31da7e6-37de-42b2-93f4-726274978da9} - (no file)

    O4 - HKCU\..\Run: [umaxuapi] C:\windows\umaxuapi.exe

    Download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Could you mail C:\windows\umaxuapi.exe to the address in my profile, preferably zipped up.

    SAHUninstall is probably ShopAtHome (spyware, but the uninstaller works and is harmless by itself)

    Regards,

    Pieter
     
  11. Cheddar

    Cheddar Registered Member

    Joined:
    May 31, 2004
    Posts:
    6
    Hey Pieter, I'm sorry I can't send that file aol wont let me send files with viruses in them.. Thanks again for your help. I'll keep the zipped file on my computer for a little if you know another way I can get it to you..
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Can you upload it here:
    http://www.kaspersky.com/scanforvirus.html
    Maybe it's a known one.

    Regards,

    Pieter
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Give password-protect a try - and make sure you do name the password in your email to Pieter ;)

    regards.

    paul
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    AOL won't let you send ANY exe files at all or any type of file that can potentially carry a virus, whether it is infected or not and that includes all zip files whether passworded or not

    the way around it is to zip up the file, rename it, by right clicking the zip file and selecting rename, you will get a message warning that the file will not be able to be run when renamed, just press OK
    rename it from from abcdef.zip to abcdef.txt and aol will then accept it.

    make sure you tell Pieter it's a zip file renamed to txt
     
Thread Status:
Not open for further replies.