Posts by caperjack

Check out the hijackthis tutorial here .
http://www.spywareinfo.com/~merijn/htlogtutorial.html

You could also use this EXE file search to get a driscription of the exe's in startup to see if they are good and if they are needed .here is one=
http://www.kephyr.com/filedb/index.php

or download and use this one .
http://www.pacs-portal.co.uk/startup_pages/start_ups.exe

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

O4 - HKLM\..\Run: [wininetd] C:\WINDOWS\SYSTEM\wininetd.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/cabs/875480.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\SYSTEM\wininetd.exe .....delete file

C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE .........delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

First, download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

2 things to do to help stop it from reacurring .

1=Also a trip to windows updates is needed for critical updates and SP1's
WINDOWS UPDATES

2=After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

Log look great now ,check out how i got infected in the first place in my signature and get the programs recomended .

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm315

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe ... delete file

C:\WINDOWS\fash.exe..delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

You have more than about blank ,like this one --O4 - HKLM\..\Run: [Aplune Service] svchosd.exe.
This is why its always best to start your own thread instead of piggie backing to one like this one.
Everyones log is different!!Everyones problems are different!

Run this free online virus scan ,check off auto fix.and and then Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Your welcome :)

in restore go back to the farthest possiable date !!

Yes ,or you could run hijack this and click configure/backups and pick it from the list and restore it that way .

It's no burger biggie, but it's an irritant. I'm running 2000 Pro on, would you believe, a Pentium 233. Before you fall down laughing I'll have to say it's not real speedy, but it is not as slow as one might think. 2M does a great job of kicking things up.

I'm getting an error message on boot: RUNDLL with an X - Error loading c:\winnt\downloaded program files\bridge.dll. This specific module could not be found.
I'm sure it is part of an applet I probably installed and then uninstalled, but I'm not sure how to locate the source of the problem and zap it. Can someone give me a clue?

Thanks, BuddyB

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)

O4 - HKLM\..\Run: [W6nyl] C:\WINDOWS\TEMP\W6NYL.EXE

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\TEMP\W6NYL.EXE --delete this file ,also a good idea to actually empty the content of the temp folder

C:\Program Files\Common files\WinTools... delete this folder

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

i had the exact same problem...I deleted everything off my HJT report and ive never had the problem since

bullie for you !:)

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
I don't see any thig really bad in you log a few things to fix .also you need to reboot to finish the wmp update ==
O4 - HKLM\..\RunOnce: [KB837272] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP

this is not needed in startup and is a resource hog and suggested fix
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Fix this one
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29be695...ip/RdxIE601.cab

Hi,

I'm facing a problem with my IE 6 browser running on XP home edition. When I go to Tools -> Internet Options -> Advanced tab, it appears totally blank under the settings; no options to check/un-check at all. I do see the "Restore Defaults" button in the bottom, but clicking on it does nothing. I've tried reinstalling IE from win xp CD, but it's still not helpful.

If anyone knows any solutions to this problem, please help me out. Any help will be truly appreciated. Thanks everyone.

download this , http://www.mvps.org/sramesh2k/reg/Advanced_blank.reg ,and click on it and say yes to apply the changes to you registry .

how about a new hijack this log ,thanks

Thats not checked in mine and i get the drop down

So you have auto complete turned on ,and you don't get the dropdown in the search field ,when you type something.?
What search engin do you use or do you mean all dropt down fields

IE,tools /internet options /content/auto complete,you chose and clear fields here ,I think this is what you are refering to.

In Windows Explorer (not Internet Explorer):

In the top menu bar, go to Tools->Folder Options..., File Types. Select ZIP from the list of registered filetypes and then click Advanced.

That will only help with how winxp handles zip file not how IE handles them .
Im not sure what you need to do about the problem ,have you tried emptying the temp internet files folder ,and then try downloading a zip file .Make sure you are selecting save and not open !

You can open your internet opyions when you IE in the 'tools' section

Actually that will wipe some stuff from the computer,internet releated stuff ,But it will not wipe the computer clean!

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then do this .

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

Reboot and post fresh hijackthislog

Great !Your welcome

What is you home page now!!I just noticed i errored in leaving this[R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
] in the list of things to fix .you could restore with hijackthis or maybe just reset you home page in tools/internet options in IE.!sorry .

just found this topic on a simular problem .
http://forums.computeractive.co.uk/thread.jsp?forum=5&thread=27171

Leave system restore then,until we find out for sure that this means the file is in you system restore[C:\SystemVolumeInformation\-restore{1DF014E9-2A7G4277-BD8A-14E12CE58FD5}\RP85\A0024173.dll ] if that trojan is in you restore the next time you restore you computer to an earlier date you will infect your computer with the trojan ,if that is where its at!!

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\dp-him.exe... delete file

C:\WINDOWS\sysupd.exe ... delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Sorry i don't know what they mean !

what does it mean when I keep getting
PAGE CANNOT BE DISPLAYED???

When are you getting this message .Every page or certain ones

I do believe that ,that shows it in you system restore, therefor you will need to disable system restore and then reboot and when you system is clean turn it back on .

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

I think this site would help people alot, if people read it, It could help them understand just what the log is all about,I still have to check it ,my memory is really bad !.

http://www.spywareinfo.com/~merijn/htlogtutorial.html

Have Hijack This fix the following by placing a check in the

appropriate boxes and selecting fix checked. Make sure all

browser and all Windows Explorer windows are closed before

fixing.

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O4 - HKLM\..\Run: [updmgr]C:\Program Files\Common files\updmgr\updmgr.exe

This is not malware but recommended fix ,resource hog.
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Now reboot into safe mode and delete the following files and

folders if found .

C:\Program Files\Common files\updmgr ... delete folder

to delete the above files and folder you will need to do the

following
go to
Show

hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start

computer in safe mode

reboot computer and post a new log

OKIE DOKIE I did every virus scan I could do... No virus's.....
I still keep getting a box that says I have a virus called trojan horse downloader comet B... What could that be?????

If you followed my instruction ,the last part was to post a fresh hijacklog .!!please do so .thanks.
Also Trojans are not viruses so you need a trojan scanner to find them ,You can get a demo one here .
http://tds.diamondcs.com.au/

Hey Caperjack, that it actually where my *How you got infected* link in my Sig points to. :)

I know I see it there ,Just because you have it in you signature doesn't mean anyone is going to read it,I was just making sure that they READ IT! I have spybot and all those other programs in my sign and still have to tell people to download the and use them .!:)

if it yahoo don't fix this on sorry ,put it in by mistake .

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

Not sure what you want for you start page and search page ,if its Yahoo for start page and goolgle for search then fix theses also.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ulcncz] C:\WINDOWS\ulcncz.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/143c19c...ip/RdxIE601.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\ulcncz.exe delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

You shouls also try and unistall this via the add and remove programs in control panel if it there .
"C:\Program Files\webHancer\

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {631D8B8A-D7A4-4088-B71B-A7EB00BCF749} - C:\WINDOWS\quqfi.dll

O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113779.exe -auto

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [kczfaekh] C:\WINDOWS\hnyr.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [hcivyalrcgvqc] C:\WINDOWS\System32\ttwpqval.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mp3.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\websx ... delete folder

C:\WINDOWS\hnyr.exe ... delete file

C:\WINDOWS\System32\ttwpqval.exe ... delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

A goolgle search of navmgrd.exe ,show these , http://www.google.com/search?sourceid=navclient-menuext&ie=UTF-8&oe=UTF-8&q=navmgrd%2Eexe ,

This is a good site to help with what processes are needed and what ones are not .
http://www.blackviper.com/

also If you want post a fresh log I'll see if I can find the time to have a look later today.

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following: come back with a new hijackthis log and I'll help you get rid of whats left

You have a worm or two so start with the free online virus scans in my signature ,and then run these programs if you all ready haven't.

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

check this hijackthis tutorial,it will help you decide what you want to remove .
http://www.spywareinfo.com/~merijn/htlogtutorial.html

I would first try safe mode and see if the Admin account has a password ,some time people just password the account with there name on it ,and don't even know there is a admin account in safe mode .If this is the case and you can get into safe mode go to users in control panel and create a new password to your account .

Start with this free online antivirus scan, check oo auto fix ,before scan .

http://housecall.trendmicro.com/housecall/start_corp.asp

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

I will still say virus ,did you run a full virus scan,check out the free ones in my signature ,