 |  |  |  |  |  |  |  |
Internet Explorer Fails After Registry Removal
 |
OK, here's the story. Today my laptop was infected with an extremely malicious strain of the CoolWebSearch spyware virus. It took me nearly two hours to remove it. The removal involved sifting through the Registry (run >> "regedit") and deleting the bugs responsible for the infection. Here's the key: I think that during that process, I accidentally deleted a file in the registry (something to do with browser helpers objects) that was vital to my internet functions.
The virus was eliminated. But now, as a result, my internet is working intermittently. In other words, I'll turn on the computer and my browser will be dead; then a few restarts later it will be perfectly fine...and so on.
I'm not sure if the alternations I made in the registry have anything to do with the failure. I might be a symptom of the virus, though I'm pretty sure it's been destroyed. Here's a site that has information on the C:\searchpage.html virus ("http://www.computing.net/security/ww...rum/11198.html"), in case its useful.
I should also note that I did use HijackThis to help remove the virus; though that shouldn't be an issue since I've restored one essential file that I accidentally erased with it.
Again, in case the message got lost in all those words, here's my problem:
I deleted something in the registry and now my internet works on and off, but mostly off.
I'm wondering. Should I simply re-install internet explorer or is this a glitch that I can locate and fix? Is there some way that I can restore or repair deleted files without trashing the whole program? And If I do need to re-install internet explorer, can someone please give me instructions about how to do that?
I know I can't give much information, but I'm desperate for help.
Thanks a ton!!
The virus was eliminated. But now, as a result, my internet is working intermittently. In other words, I'll turn on the computer and my browser will be dead; then a few restarts later it will be perfectly fine...and so on.
I'm not sure if the alternations I made in the registry have anything to do with the failure. I might be a symptom of the virus, though I'm pretty sure it's been destroyed. Here's a site that has information on the C:\searchpage.html virus ("http://www.computing.net/security/ww...rum/11198.html"), in case its useful.
I should also note that I did use HijackThis to help remove the virus; though that shouldn't be an issue since I've restored one essential file that I accidentally erased with it.
Again, in case the message got lost in all those words, here's my problem:
I deleted something in the registry and now my internet works on and off, but mostly off.
I'm wondering. Should I simply re-install internet explorer or is this a glitch that I can locate and fix? Is there some way that I can restore or repair deleted files without trashing the whole program? And If I do need to re-install internet explorer, can someone please give me instructions about how to do that?
I know I can't give much information, but I'm desperate for help.
Thanks a ton!!
First of all, let's figure out if the problem might not be being caused by something malicious that didn't get removed. Could you run HijackThis again and post a copy of the log file here please? If you're system is clean, we can start looking at the possibility that you did indeed delete a necessary reg key.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2003
Posts: 9,537
Reputation: 
Solved Threads: 490
•
•
•
•
Originally Posted by Pseudonym
OK, here's the story. Today my laptop was infected with an extremely malicious strain of the CoolWebSearch spyware virus. It took me nearly two hours to remove it. The removal involved sifting through the Registry (run >> "regedit") and deleting the bugs responsible for the infection. Here's the key: I think that during that process, I accidentally deleted a file in the registry (something to do with browser helpers objects) that was vital to my internet functions.
The virus was eliminated. But now, as a result, my internet is working intermittently. In other words, I'll turn on the computer and my browser will be dead; then a few restarts later it will be perfectly fine...and so on.
I'm not sure if the alternations I made in the registry have anything to do with the failure. I might be a symptom of the virus, though I'm pretty sure it's been destroyed. Here's a site that has information on the C:\searchpage.html virus ("http://www.computing.net/security/ww...rum/11198.html"), in case its useful.
I should also note that I did use HijackThis to help remove the virus; though that shouldn't be an issue since I've restored one essential file that I accidentally erased with it.
Again, in case the message got lost in all those words, here's my problem:
I deleted something in the registry and now my internet works on and off, but mostly off.
I'm wondering. Should I simply re-install internet explorer or is this a glitch that I can locate and fix? Is there some way that I can restore or repair deleted files without trashing the whole program? And If I do need to re-install internet explorer, can someone please give me instructions about how to do that?
I know I can't give much information, but I'm desperate for help.
Thanks a ton!!
just for the record !!Coolwebsearch browser hijack variants are not viruses!!
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
•
•
Originally Posted by caperjack
just for the record !!Coolwebsearch browser hijack variants are not viruses!!
:mrgreen:
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2003
Posts: 9,537
Reputation:
Solved Threads: 490
•
•
•
•
Originally Posted by DMR
Picky, picky, picky....
:mrgreen:
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
•
•
Originally Posted by DMR
First of all, let's figure out if the problem might not be being caused by something malicious that didn't get removed. Could you run HijackThis again and post a copy of the log file here please? If you're system is clean, we can start looking at the possibility that you did indeed delete a necessary reg key.
Logfile of HijackThis v1.97.7
Scan saved at 6:45:51 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temporary Internet Files\Content.IE5\OHA78PIJ\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tri...tyleSigned.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35
Maybe there's something rotten hiding in there. The "alchem" file always seemed a bit suspicious to me, but it's all a bunch of jumble to me anyway. Glad you can help me out!
:cheesy:
P.S. After I got the infected with the spyware (OK, it's not a virus - sorry
), I uninstalled my Google toolbar. When I tried to reinstall it, no matter what I did I couldn't get it to appear on my browser. It's a really trivial issue and it doesn't matter, but I wanted to mention it because maybe it has something to do with the virus. Once again, THANKS!
•
•
Join Date: Aug 2003
Posts: 9,537
Reputation:
Solved Threads: 490
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: Aug 2003
Posts: 9,537
Reputation:
Solved Threads: 490
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
O3 Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
this one is a rescourec hogg and suggested fix .
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...styleSigned.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
Now reboot into safe mode and delete the following files or folders if found .
winmain.exe>>>>>>>> delete file
C:\Program Files\Common files\updater>>>delete folder
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe>>>>>Delete file
C:\WINDOWS\g30xdnnm4i.exe >>>>>>>delete file
to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode
reboot computer and post a new log
O3 Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [5Pd] C:\documents and settings\penn bullock\local settings\temp\5Pd.exe
O4 - HKCU\..\Run: [mgxi77y0n5] C:\WINDOWS\g30xdnnm4i.exe
this one is a rescourec hogg and suggested fix .
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...styleSigned.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
Now reboot into safe mode and delete the following files or folders if found .
winmain.exe>>>>>>>> delete file
C:\Program Files\Common files\updater>>>delete folder
C:\documents and settings\penn bullock\local settings\temp\5Pd.exe>>>>>Delete file
C:\WINDOWS\g30xdnnm4i.exe >>>>>>>delete file
to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode
reboot computer and post a new log
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Hey! I can't tell you how much I appreciate your help.
I'm following the procedure right now. I'll update you about how it worked out.
Thanks again!!
:cheesy:
I'm following the procedure right now. I'll update you about how it worked out.
Thanks again!!
:cheesy:
OK, I followed all your instructions and unfortunately it hasn't worked. In fact, there's a new problem. Today, while I was on the internet, the start menu, my desktop items, and all my browsers suddenly disappeared, as if the computer was about to shut down. When they came back, the browser windows were gone and the internet connection was bust. The same thing happened just a few minutes ago, only this time it caused the connection to be revived. My suspicion is that this is the work of some lingering spyware bug. But I doubt it can be weeded out by HijackThis. When I was first infected, neither Ad-Aware nor Hijackthis nor Spybot did the trick; so I was forced to delve into the registry.
Oh, and here's the new log you asked for. There may be some new things in there, since I've installed several new toolbars and seach programs (all of them are safe).
Logfile of HijackThis v1.97.7
Scan saved at 12:28:33 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\GGSearchTool\ggsearch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\System32\GrooweToolbar.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Girafa (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35
Oh, and here's the new log you asked for. There may be some new things in there, since I've installed several new toolbars and seach programs (all of them are safe).
Logfile of HijackThis v1.97.7
Scan saved at 12:28:33 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\sysmon\sysmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\GGSearchTool\ggsearch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbcnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bbcnews.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.5\lexbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Groowe - {1F326B8F-CE7F-4C98-96A1-AC7A2B61D742} - C:\WINDOWS\System32\GrooweToolbar.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NMFTASK] NMFTASK.EXE /RESET
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5Pd] C:\Documents and Settings\Penn Bullock\Local Settings\Temp\5Pd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Girafa (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61162AB1-DAF5-45AA-A7BF-A98A19A45EEB}: NameServer = 210.193.2.33,210.193.2.35
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: help me please (HJT log)
- Next Thread: JBV: Can't remove "about:blank" homepage. Please help.
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
