Posts by caperjack

Those Who like it like it alot !!just like that Bastard,stepchild i guess:)

Right on,your phone should be ringing now!:)

Search IP here .
http://www.arin.net/whois/

Looks clean to me .
Check how i got infected in the first place in my signature below.

IE,tools /internet options/temp internet files/delete files

sorry for the delay ,but we are all just volunteer's
My 2 jobs keep me busy! and I have to fight with my 16 yr old daughter for the computer at night !!

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

O4 - HKLM\..\Run: [WinSys] C:\WINNT\System32\WinSys.exe

O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe

O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe

this is resource hog and suggested fix ,as its not needed in startup.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Now reboot into safe mode and delete the following files and folders if found .

C:\WINNT\System32\WinSys.exe ... delete file

C:\WINNT\runwin32.exe ...delete file

C:\WINNT\wininet32.exe ...delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

…

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Its sites like the regcleaner download that people get spyware from .Popup,redirect to another program .Ect ECT
I will install it and see what comes with it .:)

Edit:Neat little program ,and nothing bad came with it !!

I am having the same/similar problem...

Logfile of HijackThis v1.97.7
Scan saved at 11:08:00, on 02/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\E_S00RP2.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Advanced Communications\Hosting Controller\exes\HCDiskQuota.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\MAILEN~1\BIN\MEHTTPS.EXE
C:\PROGRA~1\MAILEN~1\BIN\MELSC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEMTA.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOPC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOPS.EXE
C:\PROGRA~1\MAILEN~1\BIN\MESMTPC.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\AUDIOS~1\Bits browse intra.exe
C:\WINNT\Plaxo\1.5.2.32\InstallStub.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index.html?http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchweb2.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program …

Did you run the virus scan!!

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

Also a trip to windows updates is needed for critical updates and SP1's
WINDOWS UPDATES

Yeah I missed one ,make sure all other windows are close and have hijack fix this one .

O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe

reboot and delete this file ..C:\Documents and Settings\Owner\Application Data\ootr.exe ..delete file .

After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

Also a trip to windows updates is needed for critical updates and SP1's
WINDOWS UPDATES

first unzip hijackthis to a folder of its own like c:\HJT\hijackthis.exe

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.64.com/uscf/ratings/?nm=...st=NJ&Find=Find

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINNT\System32\ssurf022.dll

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

O4 - HKLM\..\Run: [yrvtimgqdu] C:\WINNT\System32\kagqts.exe

Chek add and remove programs for this and unistall if there ,and then fix here also
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm

O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab

O16 - DPF: {2AEBF56B-88C4-7EC4-3B3F-24F1B5AD40FF} (DownloadUL Class) - http://public.searchbarcash.com/cab/006/asqkfkgw.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://web.net2phone.com/products/c...XCommCenter.cab

Now reboot into safe mode and delete the …

Next run this free online virus scan to see if we can get rid of the trojans on you system .check auto fix and run the scan .
http://housecall.trendmicro.com/housecall/start_corp.asp

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

post a fresh hijack log just to be sure its clean now.

the model of Dell I have is Dell Dimension L433cx and no I don't have a Windows 98 CD, or a Dell Recovery CD I bought this computer from someone and all they gave me with it was a boot disk...

I think you just answered your first question!:)

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O4 - HKLM\..\Run: [fxteixrsfp] C:\WINDOWS\System32\cwjwqz.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\cwjwqz.exe........delete file

C:\WINDOWS\alchem.exe........delete file

C:\WINDOWS\System32\wnsintsu.exe........delete file

C:\Program Files\Common Files\GMT\........delete folder

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log.

PS,Im from CB,NS and we don't drink here thanks Anyway.lol

How could you have updated you bios ,if you didn't know what bios it had .

Now all is back to normal but I get a "Your system case has been opened - Press F1 to continue" message at boot up.

you might just be able to hit the key to enter setup instead of hitting F1,and just enter bios and then exit it saving changes ,this might get ridof message .

could it be in this keyboard program you are using .
C:\Program Files\Tavultesoft\Keyman\keyman.exe

It is a legit windows[2 of them on mine ] file it will be all right to leave it

:mrgreen:
I don't think this needs fixing .
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

post a fresh log ,if the above one is from before you ran spybot and adaware programs.
I will also suggest the free online virus scan in my signature,

Try the first free online viruse scan in my signature ,make sure to click on auto fix

I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

. and it's only in certain instances. How do I do a repair IE?

Thanks for the help.

Not all web pages are fully functinal .Some are outdated and the Pictures are no longer working .
Post a link[copy and paste the URL] to one of the sites that you are having problems with and we'll se if we get red X's

Oh!lets have a look with hijackthis.
Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

Considering it's a used system with someone else's version/license of XP, and according to rellie1977 he wanted to format the drive anyway, it's HIGHLY ADVISABLE that the drive get reformatted. Plus, there's no worries of whether or not the system is infected with viruses, malware, etc. if a clean O/S is installed on a fresh partition.

Exactly!:)

Also a trip to windows updates is needed for critical updates and SP1's
WINDOWS UPDATES

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=138770

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1617beb...ip/RdxIE601.cab

Reboot and post fresh log

If its not hurting anything why do you want to delete it .as it is not the bad malware bridge.dll file that everyone else is trying to get rid of .
It is a microsoft file .

I already have the first solution. That's where I'm stuck. I cannot delete the registry keys without permission. How do I set up permission correctly? The last set of instructions is way tooo complicated for me to follow along. Anything simpler?

I Have XP so not sure if 2000 doese this or not ,i useto do phone tek and help people with 2000 registry problems ,but that was last year !!and i was reading it from my binder!!

with regedit opened and the key you want to change permission on right click the key ,permission is in the box in xp ,maybe there in 2000 also.
or with the key open go to edit permissions should be there in 2000,if memory serves me right ,

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.winet.html

Yeah ,you should unplug and then hold the start button in for about 15 seconds or more to drain the powersupply also!

Might I suggest Ad-Aware and Spybot and hijackthis

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

Do you want to do smething different than what you wanted to do in the above post .are you still trying to make yahoo you home page .if so type in www.yahoo.com
go to tools /internet options /click use current in the homepage section !

not a complete log the top is missing !

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Well I agree :),you allready told him to do that no need me repeating it !

Try Start/run/REGEDIT32

Or I would right click on mycomputer /properties/hardware/device manager/ and look for the cdroms/click the + next to CD and uninstall ,then close that out and reboot computer to reinstall the drives .

go here and get a win98 bootdisk, http://www.bootdisk.com/bootdisk.htm

copy it to a formated floppy, boot computer to the new bootdisk and at the dos prompt type FDISK ,choose delete partition ,If you XP install is NTFS ,then choose delete non dos partition ,delet it ,then choose create DOS partition ,then reboot and choose boot with cdrom support ,at the dos prompt ,with the XP cd in the drive type SETUP ,and install winxp

It will only stop working ,you will ahve to uninstall it yourself .
I would try this ,not saying it will work !
go to the folder the demo is in and copy the uninstall file ,if one there ,and then go to the folder with the full version ,and the corrupt uninstall file ,and past it there ,overwrite the other if asked and then try uninstall the full version !

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [DUNRMS] C:\WINDOWS\dunrms.exe

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [BEIL] C:\WINDOWS\BEIL.exe

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [ponap] C:\WINDOWS\ponap.exe

Now reboot into safe mode and delete the following files and ders if found .

C:\WINDOWS\dunrms.exe...... delete file

C:\WINDOWS\BEIL.exe ...... delete file

c:\windows\msbb.exe ...... delete file

C:\WINDOWS\ponap.exe ...... delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Your welcome ,you just paid me!:)

That is not a full log ,please copy and past the full log ,thanks .