Options
Homepage Hijacked and dialler popup
Hi My home page has been changed to Cool web search, when I go into internet options to change it, it changes back to Cool web search.
I'm also getting 'trusted sites' with a green tick bottom right of my browser, im sure I've never had that before.
When I restart my computer I get a small popup that says: 'cant prepare plugin', then an 'OK' button, I press ctrl alt delete and there's a 125029 task running that I end, which is the popup, that's all connected with the home page problem i think.
I also have a dialler pop up that disconnects my connection and I have to restart to reconnect.
I have tried to use Adaware but when it gets up to the stage of Performing conditional scan it seems to stop working, it's not freezing (when I press ctrl alt delete, it doesn't say not responding) I've left it running at this point for an hour but the progress bar didn't budge. I've re-ran it a few times and reinstalled it but it always seems to stop in the same place.
here is my HJT log:
thanks for any help in advance
Logfile of HijackThis v1.97.2
Scan saved at 6:28:30 p.m., on 5/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINRATCHET.EXE
C:\WINDOWS\SYSINFO.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\APPLICATION DATA\ABIM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\COMPUTER\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\SIFAN.DLL
O2 - BHO: (no name) - {8BFA77C6-1188-E395-FAEB-B996C60B80C2} - C:\WINDOWS\SYSTEM\YOYOOEV.DLL
O2 - BHO: (no name) - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINDOWS\SYSTEM\CUSTIE32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSOffice] C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Lepa] C:\WINDOWS\Application Data\abim.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global User Startupregscan32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/NZ175_134.exe
O16 - DPF: {07D86975-6841-7E6D-67EC-4327517BED9B} - http://82.179.166.72/1/gdnAU208.exe
O16 - DPF: {07EC93F5-B503-5FDD-1B27-18FC45C0C6F4} - http://82.179.166.72/1/gdnAU208.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
I'm also getting 'trusted sites' with a green tick bottom right of my browser, im sure I've never had that before.
When I restart my computer I get a small popup that says: 'cant prepare plugin', then an 'OK' button, I press ctrl alt delete and there's a 125029 task running that I end, which is the popup, that's all connected with the home page problem i think.
I also have a dialler pop up that disconnects my connection and I have to restart to reconnect.
I have tried to use Adaware but when it gets up to the stage of Performing conditional scan it seems to stop working, it's not freezing (when I press ctrl alt delete, it doesn't say not responding) I've left it running at this point for an hour but the progress bar didn't budge. I've re-ran it a few times and reinstalled it but it always seems to stop in the same place.
here is my HJT log:
thanks for any help in advance
Logfile of HijackThis v1.97.2
Scan saved at 6:28:30 p.m., on 5/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINRATCHET.EXE
C:\WINDOWS\SYSINFO.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\APPLICATION DATA\ABIM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\COMPUTER\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\SIFAN.DLL
O2 - BHO: (no name) - {8BFA77C6-1188-E395-FAEB-B996C60B80C2} - C:\WINDOWS\SYSTEM\YOYOOEV.DLL
O2 - BHO: (no name) - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINDOWS\SYSTEM\CUSTIE32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSOffice] C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Lepa] C:\WINDOWS\Application Data\abim.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global User Startupregscan32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/NZ175_134.exe
O16 - DPF: {07D86975-6841-7E6D-67EC-4327517BED9B} - http://82.179.166.72/1/gdnAU208.exe
O16 - DPF: {07EC93F5-B503-5FDD-1B27-18FC45C0C6F4} - http://82.179.166.72/1/gdnAU208.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
0
Comments
Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\SIFAN.DLL
O2 - BHO: (no name) - {8BFA77C6-1188-E395-FAEB-B996C60B80C2} - C:\WINDOWS\SYSTEM\YOYOOEV.DLL
O2 - BHO: (no name) - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINDOWS\SYSTEM\CUSTIE32.DLL
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [MSOffice] C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Lepa] C:\WINDOWS\Application Data\abim.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
Boot into safe mode by tapping f8 whilst starting PC and delete these;
C:\PROGRAM FILES\WEBSX< folder
C:\PROGRAM FILES\WINDOWS ADTOOLS< folder
C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE< file
C:\WINDOWS\sysinfo.exe< file
C:\WINDOWS\SYSTEM\systime.exe< file
C:\WINDOWS\Application Data\abim.exe< file
Have hidden files/folders set to show first.
Reboot after doing this & post another log please.
Not sure about the following file *Startupregscan32.exe* so go to http://www.kaspersky.com/remoteviruschk.html and have it scanned.
On an NT system it would follow this path; C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startupregscan32.exe