Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coolwebsearch (?) Or Something, Keeps Hijacking My Pc (win98/ie6)


  • Please log in to reply
8 replies to this topic

#1 Igorkey

Igorkey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 20 January 2006 - 09:19 AM

My system:
Win98. Dial-up internet with AOL9(?). No firewalls. Light internet usage. Heavy Outlook usage. Some FrontPage usage (the only backup disk I am missing). Some usage of older Casio pda, thus I have a synchronizer.
-------------------------------------
My troubles:
Anytime I open IE (6), it gets hijacked, home page about:blank etc… 3 spy entries in the Add/Remove program (home search assistant…) Also, I get some new *.exe files in the C:\Windows\ and C:\windows\system. These *.exe generate Windows errors every 30-60 seconds. Usually two idential errros at the time.

Using a combination of Physical deletion of *.exe files that cause errors, Spybot and Ad-aware (all with latest updates) and Hijackthis - I can fix all of the errors, except one (small?) - Explorer.exe error when opening win explorer or control panel. I get two Win errors in a row and then the exporer (and control panel open and work fine).

Also, I noticed that unlike in the past, when I left exporer open on shutdown and had the same folder open on res-start, this time I just get my desctop on restart with no widnows opened.

I did followed your instructions
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Excpet - I couldn’t run any web-based untivirus. Also, I didn't install yet Firewall.
I cleaned up again using Spy-bot and Ad-aware. Stinger didn't find anything. I run Hijack Log (see below). I didn’t clean up anything in it this time. In earlier attempts, I cleaned up all enrtires related to about:blank.

I am hoping for some sort of solution - there must be something on my system that is activated when IE6 is opened. Reverted to IE5 is a possibility, but seem to affect my Outollok functionality.

Thanks.
Igor

-------------------------------------------
History:

1. Installing IE6 (part of damn TurboTax2005), triggered some sort of a virus on my PC that hijacked my home page, started adding some strange exe files into my C:\widows and C:\widows\system. These exe would come up every 30-60 seconds and show windows error - actually it would be two identical errors in the row, then break. I had a few strange entries in the Control-panel / Add/Remove - home search assistant etc...

I reverted IE to prior version (I guess 5) and set it to highest security. I deleted all of these *.exe files from C:\widows and C:\widows\system - was focusing on unfamiliar names and date when my problem started. Then run spybot and ad=aware. They found a bunch of CoolWebSearch things and deleted them. Run Hijackthis a few times and deleted some junk.

The system stabilized just fine. I still had one noticeable problem - opening Win Explorer (or Control Panel), I would get Windows error "Explorer caused …" twice, but then the Explorer (or Control Panel) would open just fine.

I did go on-line and event used my IE and had no issues no hijackings. Run Norton (1999, but definition updated through 7/2005)

Then, I wanted to use Outlook and got an error and the Outlook would shutdown before I could do anything
"OLE registration error". Since I use it heavily.

After reading the comments, I learned that to fix outlook, I needed to download IESP1 pack for Win98. Downloaded, installed - Outlook started working fine, but once I opened my IE (not even on-line!), got back to Square 1 (see my troubles above).

This time, I knew at least how to handle these errors that would slow me down and quickly killed these programs in C:\windows and C:\windows\system.
Again, I cleaned up my PC, this time didn't uninstall my IE and continue using Outlook. Same Win explorer errors. At some point, by accident (clicked Windows Update) opened IE and again, to square one.

I did noticed that rundll and mdm are always running on my task monitor. Going to MS Config
and upchucking Rundll on startup, didn't fix Win explorer, but locked Control Panel, so I brought it back to start up.

Questions -
Something is clearly seating on my PC and waiting for IE6 to open.

I can use Aol and web-browser within AOL. Is it safe? After each AOL use, Ad-aware finds the same cookie in my Temp files. Still, all of the links I get or send within Outlook are set to use IE.

Can I go back to IE5 and still operate Outlook and expect the virus to stay dormant?
I was tempted to reformat and reinstall my win98, but 1. I don't have FrontPage disk, 2. Big project….

Any other suggestions?
Igor

The latest HJthis log - notice I didn't clean up this time anything - even about:blank.
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:23:57 AM, on 1/20/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\RSMENU.EXE
C:\PROGRAM FILES\COMMON FILES\RANDSYNC\TRANSLATORS\CASIOORG\CASAGNT.EXE
C:\WINDOWS\RunDLL.exe
C:\AAA-FIX-PC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AT&T Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gate.temple.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {B7AE5988-3688-C06D-F636-5509DAD63F01} - C:\WINDOWS\D3UK.DLL
O2 - BHO: Class - {213FF3C4-933A-5728-4344-750F1EBB3DD5} - C:\WINDOWS\SDKRP32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\MOUSE\tips\mouse\tips.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Enterprise Harmony '99] C:\PROGRA~1\COMMON~1\rsMenu.exe
O4 - HKLM\..\Run: [Harmony 98 - CasioOrg] C:\PROGRA~1\COMMON~1\RANDSYNC\Translators\CasioOrg\CasAgnt.exe EN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [JAVAYU.EXE] C:\WINDOWS\SYSTEM\JAVAYU.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CRDF.EXE] C:\WINDOWS\SYSTEM\CRDF.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 21 January 2006 - 05:49 PM

DownLoad http://www.intermute.com/spysubtract/cwshr...r_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"


Download About:Buster from:
http://www.majorgeeks.com/download4289.html
Double click aboutbuster.exe, Click begin removal, click yes to shutdown IE, click Start, then click OK.


Fix these with HJT – mark them, close IE, click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: Class - {B7AE5988-3688-C06D-F636-5509DAD63F01} - C:\WINDOWS\D3UK.DLL

O2 - BHO: Class - {213FF3C4-933A-5728-4344-750F1EBB3DD5} - C:\WINDOWS\SDKRP32.DLL

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\D3UK.DLL
C:\WINDOWS\SDKRP32.DLL

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Igorkey

Igorkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 24 January 2006 - 09:28 AM

Hi,
Thank you very much for your help.
I did all the steps, but a few comments first - unrelated to your suggestions.

1. I "lost" my old Norton - I tired to install Norton Internet Security 2005. It forced me to uninstall my Norton, but then the installation failed. I was able to eliminated the Norton errors. But now I don’t have Norton or any antivirus.
2. Anytime I go online now, I use AOL and AOL's browser (instead of IE6). No hijackings, but running Ad-aware after AOL use, I keep getting the same results - 3 negligible issues - MRU (?) and 2 serious issues (TAC3) - Data Miner(?) somehow related to centrpost.net (or something like that, I can't find my notes). I deleted them but after another AOL use, they are back, etc....

------------------------------------------
Running
1. CWSchreder.exe - found nothing. Please note that I did use it when I first started fighting this bug and on the first run it found and eliminated something.

2. About buster - found and removed a bunch of files (8-10). Gave me a message - "CWS found, need to reset IE settings and erase C:\windows\temp". I said OK.

3. Run Hjthis and removed as instructed -
Note that two entries after O2:………………………….DLL, had the following - "(file missing)"

4. Run KillBox and it didn't find these 2 files.
------------------------------------------------

Current status - Windows Explorer opens without Errors.
IE6 - I didn’t run yet, as I am afraid it will be hijacked again.

-------------------------------------------------
Latest HJT log:

Scan saved at 11:33:50 PM, on 1/23/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\RSMENU.EXE
C:\PROGRAM FILES\COMMON FILES\RANDSYNC\TRANSLATORS\CASIOORG\CASAGNT.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\RunDLL.exe
C:\AAA-FIX-PC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AT&T Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gate.temple.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Gravis AppAware Loader] C:\WINDOWS\SYSTEM\DBServer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [JAVAYU.EXE] C:\WINDOWS\SYSTEM\JAVAYU.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\MOUSE\tips\mouse\tips.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Enterprise Harmony '99] C:\PROGRA~1\COMMON~1\rsMenu.exe
O4 - HKLM\..\Run: [Harmony 98 - CasioOrg] C:\PROGRA~1\COMMON~1\RANDSYNC\Translators\CasioOrg\CasAgnt.exe EN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CRDF.EXE] C:\WINDOWS\SYSTEM\CRDF.EXE /s
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AOL Instant Messenger ™] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

Thank you!
Igor

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 24 January 2006 - 10:05 AM

MRU's are nothing - Most Recently Used
==========
AOL's browser is essentially IE
=========
This will stop some of the noise Turn of Third party cookies

1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.
============
For an AV

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
=============
For protection Get all of these and/or verify you have the current versions

SpywareBlaster 3.5.1 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize
==============

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [JAVAYU.EXE] C:\WINDOWS\SYSTEM\JAVAYU.EXE

O4 - HKLM\..\RunServices: [CRDF.EXE] C:\WINDOWS\SYSTEM\CRDF.EXE /s

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM\JAVAYU.EXE
C:\WINDOWS\SYSTEM\CRDF.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Igorkey

Igorkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 January 2006 - 09:09 AM

Thank you for your help!

On your comment:
"AOL's browser is essentially IE".
My problems seem to have started when TurboTax installed IE6. IE5 was working just fine. I might be wrong, but it seems that AOL browser is somehow similar to IE5.
-------------------------------------------------

I changed the privacy setting you suggested without opening IE6 as I am afraid it would trigger all the mess again. I did it by right-clicking on the icon, the properties, etc...

---------------------------------------------------
Installed, updated and run AVG - it found and deleted two Trojans - C:\ms32.tmp and c:\windows\system\rgaa.dll
--------------------------------------------------
Installed / updated / activated SpywareBlaster.

Updated Ad-aware and run - this time it found 6 serious bugs (2 registry and 2 files) - the same two it found in the past (related to centrpost) and 4 new ones - related to CoolWebsearch. Since I was on-line yesterday, before changing privacy changes - I was not surprised to see the two again. The new 4 - possibly because of the new definitions? Or infection spreading?

Killed the bugs, re-run Ad-aware - clean.

Updated Spybot and run - clean.

-------------------------------------------
Run HJT and deleted two items you listed.
---------------------------------------
In the safe mode run Killbox and tried both files, but KillBox didn't find them.
----------------------------------
Re-started in normal mode and Rerun HJT. The log is below. I still haven't opened IE6.

Not sure why I have a Temple.edu entry there. It has been 1+ year since anyone here had anything to do with Temple and we don't need it.

Thanks,
Igor

Logfile of HijackThis v1.99.1
Scan saved at 11:10:02 PM, on 1/25/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\RSMENU.EXE
C:\PROGRAM FILES\COMMON FILES\RANDSYNC\TRANSLATORS\CASIOORG\CASAGNT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\RunDLL.exe
C:\AAA-FIX-PC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AT&T Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gate.temple.edu:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Gravis AppAware Loader] C:\WINDOWS\SYSTEM\DBServer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\MOUSE\tips\mouse\tips.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Enterprise Harmony '99] C:\PROGRA~1\COMMON~1\rsMenu.exe
O4 - HKLM\..\Run: [Harmony 98 - CasioOrg] C:\PROGRA~1\COMMON~1\RANDSYNC\Translators\CasioOrg\CasAgnt.exe EN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AOL Instant Messenger ™] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 January 2006 - 11:48 AM

Great feedback - I wish more would do that

Fix that R1 entry

Log looks fine
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Igorkey

Igorkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 January 2006 - 01:14 PM

Thank you for your help and for your compliment.

Just to make sure - you think that I am safe now to open IE6?

If something goes wrong (another hijacking) would you want me to attempt the basic clean up first or to start with the HJT log?

Igor

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 26 January 2006 - 01:24 PM

You should be able to open IE
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Igorkey

Igorkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 31 January 2006 - 03:58 PM

Hello,

Everything seem to be working ok.

A couple of observations about IE -
Even at the legid sites - popups don't work, redirection doesn't work.

When I tried to use a checkbox "select all" to delete spam from my yahoo account - nothing happened. I select several manually, clicked "delete" button - nothing happened again. I had to open e-mail and click delete within it.

Thank you,
Igor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users