Someone Please Help

#1
I somehow got infected with a ridiculous amount of spyware and its getting annoying. My homepage keeps getting hijacked and there's this stupid side find thing that keeps opening in every window. I deleted it but it keeps saying that the .dll file cannot be deleted so now, even though the button doesnt appear in my toolbars, it still keeps opening but it doesnt show anything. Can someone please help me? If i run Hijack This will someone take a look at the log for me? Thanks in advance for your help.
 

muzikool

Act your wage.
Political User
#7
Yeah it can, because limited processes are loaded when booting into Safe Mode. This can prevent the spyware from running while you scan and clean the system, which will make things easier and more effective.
 

muzikool

Act your wage.
Political User
#9
Sure thing. I can't say with absolute certainty that cleaning off spyware in Safe Mode will be 100% effective every time, but it's still the best option. :)
 

j79zlr

Glaanies script monkey
Political User
#10
Hi lostprophet, you've got a bit of things to clean, first download the latest version of HJT, http://www.majorgeeks.com/download3155.html and download CWShredder, http://www.majorgeeks.com/download4086.html

Go into Add/Remove Programs and uninstall WinTools.

First download this tool to fix the peper infection you have, http://downloads.subratam.org/PeperFix.exe Run it and reboot if it asks you to.

Run CWShredder, let it fix everything it finds. Then have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.do-jaja.com/search/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ls0.net/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\Program Files\IntBar\rundlg32.dll
F0 - system.ini: Shell=Explorer.exe monitor.exe
F1 - win.ini: run=C:\WINNT\inetdata\winlogon.exe
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINNT\msopt.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {690EC3C0-E676-45B2-9403-B18CFAAF0074} - C:\WINNT\System32\bck.dll
O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local

Settings\Temp\WYMJ4WpaW.dll (file missing)
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\IntBar\rundlg32.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [38Z3MSR3DDD##A] C:\WINNT\System32\NipM9X44.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKCU\..\Run: [monitor] monitor.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O9 - Extra button: SideFind (HKLM)
O15 - Trusted Zone: *.iwantsearch.com
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} -

ms-its:mhtml:file://c:\nosuch.mht!http://69.50.179.54/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11010101-1001-1111-1000-115676576811} -

ms-its:mhtml:file://c:\nosuch.mht!http://www.ustimerz.com/cm11111/var.chm::/var.exe
O16 - DPF: {11010101-1001-1111-1000-115676576822} -

ms-its:mhtml:file://c:\nosuch.mht!http://www.ustimerz.com/cm11112/var1.chm::/var1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} -

ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:\Recycled\Q383302.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) -

http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...2244d317f6ab2c86bff7585b7e883263ddf35912dd813

dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://access.babetv.co.uk/000001/us/enter/enter.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -

http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/106abb0db27c23459105/netzip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50019/QDow_AS2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -

http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O19 - User stylesheet: C:\WINNT\color.css (file missing)

Now reboot into safemode, tap F8 at boot, and delete:

C:\Documents and Settings\All Users\Application Data\IEserver\ <--folder
C:\Documents and Settings\Administrator\Local Settings\Temp\ <--everything in this folder
C:\Program Files\Common Files\WinTools <--folder
C:\Program Files\IntBar\ <--folder
C:\Program Files\SEP\ <--folder
C:\Program Files\SideFind\ <--folder
C:\WINNT\inetdata\winlogon.exe <--file
C:\WINNT\system32\services\msxmidi.exe <--file
C:\WINNT\system32\monitor.exe <--file
c:\winnt\tour.reg <--file

Reboot normally, and post a new log. Please just post it, do not attach it.

Go to Windows Update, you NEED TO GET SP4 for Win2000, along with ALL CRITICAL UPDATES. I also do not see an Antivirus program running, but it could have been corrupted by your infection. If you do not have one, install AVG 6.0 Free, as the name says it is free, and very good. You must keep yourself updated.
 
#16
Logfile of HijackThis v1.98.2
Scan saved at 10:30:25 PM, on 8/17/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltcm000c.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\loadqm.exe
C:\WINNT\loadqm.exe
C:\documents and settings\administrator\local settings\temp\7.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\System32\rtifnet.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\winnt\winserv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
C:\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
O2 - BHO: (no name) - {8CA79A4D-9A99-46A7-BEE3-4555B3724620} - C:\WINNT\System32\gcc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [7] C:\documents and settings\administrator\local settings\temp\7.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [o23U36T] rtifnet.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winlogon] c:\winnt\winserv.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINNT\mwshelp.dll
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O18 - Filter: text/plain - {ED8D9D23-E9D1-4014-A91F-49E4C9705C8E} - C:\WINNT\System32\gcc.dll
 
#17
yeah, but there are alot of downsides to having that much spyware and then removing it, not to mention all the other crap that has probably been on there at one point. The registry is probably bloated beyond belief, there's probably a bunch of crap left over from uninstalls that don't remove everything, etc, etc,
 

j79zlr

Glaanies script monkey
Political User
#18
OK, much cleaner than before but you have some new spyware.

Rerun CWShredder again, then have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
O2 - BHO: (no name) - {8CA79A4D-9A99-46A7-BEE3-4555B3724620} - C:\WINNT\System32\gcc.dll
O4 - HKLM\..\Run: [7] C:\documents and settings\administrator\local settings\temp\7.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [o23U36T] rtifnet.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [winlogon] c:\winnt\winserv.exe
O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINNT\mwshelp.dll
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O18 - Filter: text/plain - {ED8D9D23-E9D1-4014-A91F-49E4C9705C8E} - C:\WINNT\System32\gcc.dll

Reboot into safemode and delete:

C:\documents and settings\administrator\local settings\temp\ <--everything in this folder
C:\Program Files\AutoUpdate\ <--folder
C:\Program Files\Common Files\Dpi\ <--folder
C:\WINNT\inetdata\winlogon.exe <--file
C:\WINNT\system32\pcs\ <--folder
C:\WINNT\system32\rtifnet.exe <--file
c:\winnt\winserv.exe <--file

Do yourself a favor, update Windows as I had previously suggested and download Firefox to use as a browser. Reboot and post a new log.
 
#19
Logfile of HijackThis v1.98.2
Scan saved at 8:36:53 AM, on 8/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
C:\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
 

j79zlr

Glaanies script monkey
Political User
#20
OK, these aren't playing nice, boot into safemode first and delete:

C:\WINNT\httpfilter.dll <--file
C:\WINNT\mwshelp.dll <--file

Reboot and run CWShredder again and then have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll

Reboot and post a new log.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut