| View previous topic :: View next topic |
| Author |
Message |
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
 Posted: Sun May 30, 2004 4:33 am Post subject: ie homepage is set to http://213.159.117.132/index.php |
|
|
my homepage is set to http://213.159.117.132/index.php.
the main title is cool web search. i tried deleting the registry
files manually and by hijackthis and it reappeared every time.
i ran CWShredder and it did not find anything.
im not sure what to do next, here is my hijackthis log.
any help would be appreciated
Logfile of HijackThis v1.97.7
Scan saved at 2:55:28 AM, on 5/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\DL.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\NEW FOLDER (2)\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\SYSTEM\IEHELPER.DLL
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\PROGRAM FILES\E2G\IEBHOS.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SaveNow] C:\Program Files\SaveNow\SaveNow.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] \ConnectionManager.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://63.217.31.12/dial/FreeVideoDownload.exe |
|
| Back to top |
|
 |
thajes
Warnings : 1
Trooper
Joined: May 27, 2004
Posts: 13
Location: Belgium
|
| Posted: Sun May 30, 2004 6:56 am Post subject: |
|
|
check this topic out:
http://computercops.biz/postt44951.html
You will probably have to delete a file named system32.dll and another depending on what kinda hijack you got: system.exe |
|
| Back to top |
|
|
Marckie
1st Responder
Joined: Mar 09, 2004
Posts: 805
Location: Belgium
|
| Posted: Sun May 30, 2004 7:19 am Post subject: |
|
|
Hi twizzler,
Download CWShredder.
Run the program, select the fix button. Follow the instructions as prompted. Then reboot your computer once CWShredder is finished.
Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
After installing Ad-Aware, and before running the program, first update the reference file following these instructions.
On the main screen, it will show you the currently installed reference file. Click 'Check for Updates Now' to see if a new reference file is available.
If no new reference file is available, it will state that 'No updated components available.' You are running the latest available reference file.
If a new reference file is available, it will present the build information, along with the date it was created. Click OK to download the new reference file. Once complete, click Finish. You will then be running the latest reference file.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.
Run HijackThis again and post a new log please.
Regards,
Marc
_________________
Dutch info about spyware |
|
| Back to top |
|
|
thajes
Warnings : 1
Trooper
Joined: May 27, 2004
Posts: 13
Location: Belgium
|
| Posted: Sun May 30, 2004 10:42 am Post subject: |
|
|
Do these people even reed the POSTS other people write, he already tried CWShredder...
And I already found the cure to this problem:
http://computercops.biz/postt44951.html
DELETE SYSTEM32.DLL AND SYSTEM.EXE FROM YOUR WINDIR!
greetz |
|
| Back to top |
|
|
Marckie
1st Responder
Joined: Mar 09, 2004
Posts: 805
Location: Belgium
|
| Posted: Sun May 30, 2004 11:01 am Post subject: |
|
|
Nice job thajes...
but don't begin to shout, don't get angry...we only try to help.
You gave the topicstarter a solution for his problem and I hope this works...
I missed your post for some reason, but being redirected to 213.159.117.132 looks like a coolwebsearch-infection.
I thought the TS maybe uses a version of CWSHredder which is not updated...
That's the reason why...
But calm down a bit please..
Ok?
Marckie
_________________
Dutch info about spyware |
|
| Back to top |
|
|
thajes
Warnings : 1
Trooper
Joined: May 27, 2004
Posts: 13
Location: Belgium
|
| Posted: Sun May 30, 2004 5:45 pm Post subject: |
|
|
Ok
Very well, didn't mean to sound so harsh, guess I was a little grumpy back there
cheers |
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Mon May 31, 2004 12:42 am Post subject: |
|
|
i want to thank you two great people
out there. i fixed it by deleting the two
files in safemode, but am going to learn
this Ad-Aware 6 you have shown me.
thanks alot again
Twizzler |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Mon May 31, 2004 2:36 am Post subject: |
|
|
Hello twizzler,
Contrary to what you were told you have a little more to do to remove another remnant of this hijack. The files are gone and that is good. But let's clean out the registry key which loaded the dll in question as well.
Copy the contents of the Quote Box to notepad. Name as clear.reg
Double click on clear.reg to enter into the registry.
Save the type all files.
| Quote: |
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=- |
You had other entries in your log which needed attention. You have much more to do here.
Please finish the instructions you were given by to use Ad-Aware.
Run HijackThis again and post the new log in your next reply in this same topic. CoolWebSearch is only one of your problems.
Mosaic1
|
|
| Back to top |
|
|
JayinTX
Cadet
Joined: Jun 01, 2004
Posts: 1
Location: USA
|
| Posted: Tue Jun 01, 2004 4:00 am Post subject: Same Problem |
|
|
Do a search for loader.jar in safemode. Then delete it. I did all of the following in this thread before I found this. |
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Wed Jun 02, 2004 10:51 pm Post subject: |
|
|
sorry it took me so long to reply
to Mosaic1
i saved your quote box to clear.reg. when i double clicked on it, it says "the specified file is not a registry script. you can import only registry files" is there a specific place to have the file? i tried it also in safe mode.
i could not find the loader.jar file
to Marckie
dumb question => i downloaded ad aware6 when you told me to check an option, does that mean that it is supposed to have a check mark beside it or and x.
heres my log
Logfile of HijackThis v1.97.7
Scan saved at 9:41:21 PM, on 6/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\PLUS!\PINBALL\PINBALL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\NEW FOLDER (2)\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] \ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
thanks for your time
Twizzler |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Wed Jun 02, 2004 11:24 pm Post subject: |
|
|
Twizzler,
I see the problem with the registry file. I gave you the wrong version. You run Win Me. Here it is for you.
| Quote: |
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=- |
Download CopyLock from this link:
http://www.soft32.com/download_8644.html
Double click on it to run.
Check these two boxes:
Show Source paths
Allow Downgrade
Click the Add Button
>Files To Replace
A dialog will appear. Guide it to
C:\WINDOWS\sysupd.exe
select sysupd.exe
Click the add Button on the right side of the dialog.
Go back to the main CopyLock window and click the APPLY button.
Wait for the message to see if the removal succeeded.
--------------------------
Close All Internet Explorer and Windows Explorer Windows. Select the following items and press Fix checked:
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
-----------------
Restart.
Empty the recycle bin.
Delete this file:
C:\WINDOWS\dlm.exe
Run hijackthis again and post you new log here.
|
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Wed Jun 02, 2004 11:54 pm Post subject: |
|
|
| i downloaded the copylock program but when i double click on it a choose program dialog comes up. what program do i pick. |
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Wed Jun 02, 2004 11:55 pm Post subject: |
|
|
| i downloaded the copylock program but achoose program dialog box comes up. which program do i choose to run it |
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Wed Jun 02, 2004 11:56 pm Post subject: |
|
|
| i downloaded the copylock program but achoose program dialog box comes up. which program do i choose to run it |
|
| Back to top |
|
|
twizzler
Cadet
Joined: May 30, 2004
Posts: 3
Location: USA
|
| Posted: Wed Jun 02, 2004 11:57 pm Post subject: |
|
|
| i downloaded the copylock program but achoose program dialog box comes up. which program do i choose to run it |
|
| Back to top |
|
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
