9 replies to this topic

[Rotobo]

Took it to a shop and Got rid of Andrelinks but part of it must still be on my pc. When I try to go to Yahoo or Bellsouth it reverts me back to my homepage which is Yahoo and then I automatically get the error which makes a complete cycle over and over. If I didn't have this site bookmarked I would never get here trying on a search engine.
Could someone take a quick look at my HJT log.
I was here the 27 but never got a response until the 5th and my PC was in the shop then.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 9:51:40 PM, on 2/11/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\DW15.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\01Q3SHI7\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {BBE9C7B5-DC34-11D8-92C7-44453C2116AC} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765728274} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for x@ñeÏ…jc ª}cˆ@ñeT`}c: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -

[shelf life]

hi Rotobo,

and then I automatically get the error

what is the error you keep getting?

also you are running hjt out of a temp dir. could you move it into its own folder.
----------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {BBE9C7B5-DC34-11D8-92C7-44453C2116AC} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - blank (file missing)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765728274} - blank (file missing)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
----------------------------------------------
next do this:

start>settings>Control Panel> click the Internet options icon

Next:

Click on Delete Cookies.

Click on Delete Files, Make sure Delete all offline content is checked and then click on OK


Then click on Settings, then click on View Files if there is any thing in there, delete it.
(edit>select all--- then file>delete)

Then at the top in the address bar, at the end where it says:

\Temporary Internet Files

change it to \Temp then hit enter and delete what you can in there.

last: under the programs tab click ->RESET WEB SETTINGS

see if that helps any..........shelf life

[Rotobo]

HEY thanks a bunch, it's doing lots better. The error file disappeared when I deleted Macromedia.
It was the Msvcrt.dll file and since deleting I saw (I think on Spywarrior) that Macromedia was
good at loading spyware along with their files.
I did what you asked except one BHO file, I have another BHO file thats listing "no file".
this file was missing or had been changed since last HJT log.
2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - blank
Also on the final Temporary folder where I shortened to Temp in the address bar the file DF8A7D.tmp would not delete
I'll send another HJT log for a quick looksee.

Logfile of HijackThis v1.99.1
Scan saved at 8:21:05 PM, on 2/18/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJTEXE\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - (no file)
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\BellSouth\hcenter.exe /starthidden /tgcmdwrapper
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for x@ñeÏ…jc ª}cˆ@ñeT`}c: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -

Edited by Rotobo, 17 February 2006 - 07:31 PM.

[shelf life]

hi Rotobo,

that last log looks good. dont worry about that temp file that woudnt delete.

there are two apps (free) that will among other things cleanup temp. dir, or just do it like you did once in a while.

http://www.stevengou...ftware/cleanup/

http://www.ccleaner.com/

[Rotobo]

Thanks a bunch, I've has a time with this rig. One other thing I'm concerned about before we close the case. I have a pop-up with the warning "unknown user 192.168.1.254...........00:of:db:85:92:95" and I'm not sure how to stop it. I click the "do not trust"(trend micro) and in a few minutes it's back again. Any Ideas? I have a single PC, no other PC or operators. I want to thank you again. A person has to browse here for a couple of days in order to understand how much you guys help. For whats it worth I want you to know (the pop up just came on again) I did a donation on the first trip. I'm kinda hooked on watching you guys operate. Hang in there, I won't reply and bother you again if you don't have any info on the unknown Pc. Thanks again. THIS SITE ROCKS!

[shelf life]

hi Rotobo, glad to help. that popup warning, sounds like its coming from a firewall. do you have a router, or are you connected directly to a modem?

[Booth]

HI Shelf I have DSL. the pop up is coming from the trend micro firewall. I put the unknown PC on the exception list to deny but it still keeps popping up and saying I have a unknown PC on my system. It's a pop up with a option to "trust" or "do not trust" and of course I push the do not trust but this seems to do nothing. It also has a properties button and that's where I put it on the deny list. I can set the time on the warning so it will pop up at longer intervals but if it's on my PC I would like to stop it permantely. I was going to contact the vendor but I'm having a time with the registeration as the shop I had it to last, he installed it and I can't contact them to see whos name the Virus program is in and I need the info..........that's why I mentioned it to you, hoping you would know how to limit access to this "unknown" PC. I know this is a vendor/user problem and I'll continue trying to contact the PC shop for registeration info, I appreciate all you have done for me, the internet is a tough place to play in these days. It's sad that it's coming to this. BUT IT'S GOOD TO HAVE YOU FOLKS HERE. I look at this site as the Super Heros of the internet. Thats not a joke. You can close this thread and mark it a success. The clean up really helped. God bless. Thanks Rodney

[shelf life]

hi Rotobo or Booth now? thanks, glad to help out. look that popup msg, that ip is a internal address, (192.168.1.254) oyur firewall set up properly? its not like someones is trying to get into your computer as those ips are for private networks. there not routable from the internet.

[Rotobo]

Shelf Dont know why it used my Coyote sign in name one time and then My coyote ID the next. I think it's because I'm replying via my email message and it's using my sign in name. Thanks for the info on the "unknown". I can put up with the pop up as long as it's not a hijacker. I can set it to one hour on repeats until I contact "support". I'll let you close this issue cause I know you're very busy. Until we meet again......... Thank you. Rodney

[shelf life]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php