Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Shane


  • This topic is locked This topic is locked
5 replies to this topic

#1 shane

shane

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 14 July 2004 - 03:18 PM

I have run spybot and spyware doctor. Spybot could not delete all of the files. We purchased spyware doctor and it claimed to have cleared all of the files after a reboot. But...........after another reboot it was all back again. The homepage that it redirects us to is www.your-search.info/start.html I really appreciate the help from you folks.......

Shane

Logfile of HijackThis v1.98.0
Scan saved at 3:55:47 PM, on 7/14/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\scagent.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\Explorer.exe
D:\WINNT\System32\vgoafcl.exe
D:\Documents and Settings\bgibney\Application Data\brlh.exe
D:\WINNT\System32\feutkwzr.exe
D:\Program Files\Shoreline Communications\ShoreWare Client\STCHost.exe
D:\Program Files\Shoreline Communications\ShoreWare Client\CSISCMGR.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
D:\PROGRA~1\SHOREL~1\SHOREW~1\Agent.exe
D:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\WINNT\System32\taskmgr.exe
D:\PROGRA~1\WINZIP\wzqkpick.exe
D:\PROGRA~1\WINZIP\winzip32.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.your-search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = D:\WINNT\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.your-search.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your-search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.your-search.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - D:\WINNT\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINNT\systb.dll (file missing)
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - D:\WINNT\msopt.dll
O2 - BHO: (no name) - {41A7467E-E548-7D9A-D320-65557FD2264C} - D:\WINNT\System32\hlttkqw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62030CCD-1900-42F1-800B-72C84E85BE2C} - D:\WINNT\System32\ghokb.dll (file missing)
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - d:\winnt\sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] D:\PROGRA~1\Hotbar\bin\448~1.0\SBInst.exe
O4 - HKLM\..\Run: [WeatherOnTray] D:\Program Files\Hotbar\bin\4.4.8.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [lupnynqbvo] D:\WINNT\System32\vgoafcl.exe
O4 - HKLM\..\Run: [alchem] D:\WINNT\alchem.exe
O4 - HKLM\..\Run: [system32.dll] D:\WINNT\system\systeminit.exe
O4 - HKCU\..\Run: [Shoreline Personal Call Manager] D:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe
O4 - HKCU\..\Run: [Maom] D:\Documents and Settings\bgibney\Application Data\brlh.exe
O4 - HKCU\..\Run: [Wfkyrv] D:\WINNT\System32\feutkwzr.exe
O4 - HKCU\..\Run: [monitor] monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Savings - file://D:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Web Search - D:\WINNT\ex.htm
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - D:\WINNT\digfilt.dll
O18 - Filter: text/plain - {4A66C5FE-B64D-4273-903B-41449C451EAF} - D:\WINNT\System32\lafag.dll
O19 - User stylesheet: D:\WINNT\sstyle.css
O19 - User stylesheet: D:\WINNT\sstyle.css (HKLM)

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:16 PM

Posted 14 July 2004 - 04:22 PM

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

or

http://tools.zerosrealm.com/CWShredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 shane

shane
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 14 July 2004 - 06:17 PM

As you requested, I ran CWShredder, AD-Aware and Spybot.......... Spybot could not clean "IE Pluggin". I'm ready for your next recommendations. Please help!

-Shane

Logfile of HijackThis v1.98.0
Scan saved at 7:04:04 PM, on 7/14/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINNT\systb.dll (file missing)
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - D:\WINNT\msopt.dll
O2 - BHO: (no name) - {41A7467E-E548-7D9A-D320-65557FD2264C} - D:\WINNT\System32\hlttkqw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62030CCD-1900-42F1-800B-72C84E85BE2C} - D:\WINNT\System32\ghokb.dll (file missing)
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - d:\winnt\sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] D:\PROGRA~1\Hotbar\bin\448~1.0\SBInst.exe
O4 - HKLM\..\Run: [WeatherOnTray] D:\Program Files\Hotbar\bin\4.4.8.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [lupnynqbvo] D:\WINNT\System32\vgoafcl.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:16 PM

Posted 14 July 2004 - 07:46 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINNT\systb.dll (file missing)
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - D:\WINNT\msopt.dll
O2 - BHO: (no name) - {41A7467E-E548-7D9A-D320-65557FD2264C} - D:\WINNT\System32\hlttkqw.dll
O2 - BHO: (no name) - {62030CCD-1900-42F1-800B-72C84E85BE2C} - D:\WINNT\System32\ghokb.dll (file missing)
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - d:\winnt\sr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [lupnynqbvo] D:\WINNT\System32\vgoafcl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
D:\WINNT\msopt.dll
D:\WINNT\System32\hlttkqw.dll
d:\winnt\sr.dll
D:\WINNT\System32\vgoafcl.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#5 shane

shane
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 15 July 2004 - 08:22 AM

OK..........I followed every instruction to a T. Windows 2k doesn't have a system restore option, only lask known good hardware config so I couldn't create your restore point. Once I rebooted, the spybot automatically ran and picked up two threats, it removed one but still couldn't remove IE Pluggin. Please help Grand Master! Here is my latest log.....

Logfile of HijackThis v1.98.0
Scan saved at 9:15:16 AM, on 7/15/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\scagent.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\Explorer.exe
D:\WINNT\System32\taskmgr.exe
D:\Documents and Settings\bgibney\Application Data\brlh.exe
D:\WINNT\System32\feutkwzr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Shoreline Communications\ShoreWare Client\STCHost.exe
D:\Program Files\Shoreline Communications\ShoreWare Client\CSISCMGR.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\bgibney\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {990914C0-C9E9-4BDA-A089-B7D902A53C6C} - D:\WINNT\System32\hjim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] D:\PROGRA~1\Hotbar\bin\448~1.0\SBInst.exe
O4 - HKLM\..\Run: [WeatherOnTray] D:\Program Files\Hotbar\bin\4.4.8.0\WeatherOnTray.exe
O4 - HKCU\..\Run: [Shoreline Personal Call Manager] D:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe
O4 - HKCU\..\Run: [Maom] D:\Documents and Settings\bgibney\Application Data\brlh.exe
O4 - HKCU\..\Run: [Wfkyrv] D:\WINNT\System32\feutkwzr.exe
O4 - HKCU\..\Run: [monitor] monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Savings - file://D:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.ecoastsales.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BB0E31A-6A27-4A73-91FC-B1848DC95E46}: NameServer = 205.219.188.253,204.70.128.1
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - D:\WINNT\digfilt.dll
O18 - Filter: text/plain - {FD129BD5-9C0A-4564-9689-B76135E0E731} - D:\WINNT\System32\hjim.dll

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:16 PM

Posted 15 July 2004 - 11:02 AM

Ok there was another coolwebsearch variant hiding out in there.

Do the following:

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users