hello, i'm new here... stumbled upon your site while looking for a solution to my problem with Google... my brother came home a week ago and totally screwed up the computer, and i've eliminated as much of the problem (via Spybot Search & Destroy and about 3 other spyware detectors plus our anti-virus software) as i think i can... this one and only problem that i'm now noticing is that when i search for something with Google, when i click on one of the search results, it takes doesn't take me to the right place, and i have no idea what else to do to fix it...
having read a little bit on your forum here, i went and downloaded HijackThis, but i don't know where to go from there, so i've brought my log here humbly seeking your assistance... any help is much appreciated...
EDITED BY CLOUSEAU: having at long last given up on fixing this computer, we have resorted to buying a new one... it was overdue in coming, anyway, as this computer was very outdated and would not have been easily upgradeable anymore to start with... i do wanna say thank you to Andy and anyone else who tried to help... should i have problems in the future, i will definitely keep you in mind! Cheers!
2
Can somebody help me, please?
Started by Clouseau, Jul 04 2007 06:52 PM
6 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 04 July 2007 - 11:21 PM
Hi Clouseau, Welcome to the forum,
I can see this machine has had lots of different infections on it at some stage so this is going to take afew steps to help you get it cleaned up, It may be easier for you to copy and paste this reply into notepad and save it to your desktop as all browser windows need to be closed when fixing items in HijackThis.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {688D447E-8126-1F87-DB51-15550BD17B39} - (no file)
O2 - BHO: - {EDEE5892-F9A1-4702-9F8F-0DBEADC05C35} - (no file)
O2 - BHO: (no name) - {FD1E9ECC-126D-489C-2E25-08C2B82047E9} - (no file)
O4 - HKLM\..\Run: [p76X39e] inlnt.exe
O4 - HKLM\..\Run: [sclick] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\sclick.exe
O4 - HKLM\..\Run: [bal] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\SYSMONMS.exe
O4 - HKLM\..\Run: [StUnInst] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\uinst.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - ht*p://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - ht*p://207.188.7.150/2095b38caf52d1d66817/...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - ht*p://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - ht*p://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - ht*p://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://download.games.yahoo.com/games/web_...aploader_v6.cab
Close all open browser and other windows except for HijackThis and press the Fix Checked button
Optional Fix
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
This restriction can be set by malware to prevent you from changing settings like your homepage. It can also be set by you (using programs like Spybot Search & Destroy) to prevent malware changing your settings, or System Administrators to prevent their users changing settings. If you or a system administrator didn't set that restriction then it can be fixed using HijackThis
Next goto Start > Run > the copy and paste this command
sc delete "Windows VisFx Components"
Press OK and you will just notice the cmd screen flash on then off again then the service will be marked for deletion,
Go back to Start > Run > then copy and paste
sc delete "WinSock Extention Manager"
Press OK and again the service will be removed.
Please then download CCleaner if you havent already got it installed
Download CCleaner from Here. When the download page opens scroll down to the center download which is named (CCleaner v1.40.520 - Basic - No Toolbar 629KB) then click Download Now. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run CCleaner and press the Run Cleaner button to remove temp files then exit CCleaner and reboot the PC.
After reboot download AVG Anti-Spyware
Finally download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/...rweb-cureit.exe
Cheers
Andy
I can see this machine has had lots of different infections on it at some stage so this is going to take afew steps to help you get it cleaned up, It may be easier for you to copy and paste this reply into notepad and save it to your desktop as all browser windows need to be closed when fixing items in HijackThis.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {688D447E-8126-1F87-DB51-15550BD17B39} - (no file)
O2 - BHO: - {EDEE5892-F9A1-4702-9F8F-0DBEADC05C35} - (no file)
O2 - BHO: (no name) - {FD1E9ECC-126D-489C-2E25-08C2B82047E9} - (no file)
O4 - HKLM\..\Run: [p76X39e] inlnt.exe
O4 - HKLM\..\Run: [sclick] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\sclick.exe
O4 - HKLM\..\Run: [bal] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\SYSMONMS.exe
O4 - HKLM\..\Run: [StUnInst] C:\DOCUME~1\JASONV~1\LOCALS~1\Temp\uinst.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - ht*p://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - ht*p://207.188.7.150/2095b38caf52d1d66817/...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - ht*p://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - ht*p://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - ht*p://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://download.games.yahoo.com/games/web_...aploader_v6.cab
Close all open browser and other windows except for HijackThis and press the Fix Checked button
Optional Fix
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
This restriction can be set by malware to prevent you from changing settings like your homepage. It can also be set by you (using programs like Spybot Search & Destroy) to prevent malware changing your settings, or System Administrators to prevent their users changing settings. If you or a system administrator didn't set that restriction then it can be fixed using HijackThis
Next goto Start > Run > the copy and paste this command
sc delete "Windows VisFx Components"
Press OK and you will just notice the cmd screen flash on then off again then the service will be marked for deletion,
Go back to Start > Run > then copy and paste
sc delete "WinSock Extention Manager"
Press OK and again the service will be removed.
Please then download CCleaner if you havent already got it installed
Download CCleaner from Here. When the download page opens scroll down to the center download which is named (CCleaner v1.40.520 - Basic - No Toolbar 629KB) then click Download Now. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run CCleaner and press the Run Cleaner button to remove temp files then exit CCleaner and reboot the PC.
After reboot download AVG Anti-Spyware
- Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Click on the Scanner tab at the top and then click on Complete System Scan
- AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
- Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Finally download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/...rweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, we need to change the default settings. On the Menu Bar at the top, Go to Options>Change Settings.
- Click on the Actions tab, Using the drop down menus, change each item under Objects and Malware to Report then click Apply and OK
- Next, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'No to all' if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- post the contents of the log from Dr.Web you saved previously in your next reply.
Cheers
Andy
#6 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 08 July 2007 - 07:55 PM
Hi Clouseau,
There's still alot to do here so hopefully there will be some improvement before we are finished, we need to make sure the system is clean before looking too hard at some of the issues incase the problems are all malware related, regarding your mothers game, there is some games that have been removed by AVG because they are ad supported (adware) and a ActiveX entry fixed with HijackThis earlier as thats also an Adware component,
http://www.trendmicro.com/vinfo/grayware/v...E=ADW%5FPOP%2EA
http://vil.nai.com/v...nt/v_134071.htm
So this may of caused some problems with the game she uses, if thats the case and she agreed to any terms and conditions when installing the game then it maybe easier to reinstall it from their site to make sure its not missing some files, the computer shutting down by itself though doesnt sound like a symptom of a missing file but hopefully more scans will reveal if there's any problems. You could also check your power settings to make sure its not set to shut down after a certain amount of time
Right click the desktop > click Properties > click Screen Saver > click Power at the bottom > then check the settings for the power scheme (Turn Off Monitor / Turn Off Hard Disks / System Standby / System Hibernates ), Click Apply and OK if you make any changes
Im not sure what could be causing the comcast problem especially if its only effecting that one site and no others but you could try their live support page here as they may of had similar reports of that happening or wait until the below steps are all completed and check if its still unable to connect to that site.
Do you know what this program is ? if so could you provide a link to them so I can check it
You may want to print out these below instructions or save them to a notepad file for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://download.blee.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the on-screen instructions and reboot the computer when prompted. Your system may take longer than usual to load but this is normal.
Once the desktop loads please post the text that will open (report.txt) into your next reply.
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
Once in the Configuration panel, click Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
Please then post back the Uninstall list, the FixWareout log, Combofix log and SpySweeper log
Let us know if you have any problems
Thanks
There's still alot to do here so hopefully there will be some improvement before we are finished, we need to make sure the system is clean before looking too hard at some of the issues incase the problems are all malware related, regarding your mothers game, there is some games that have been removed by AVG because they are ad supported (adware) and a ActiveX entry fixed with HijackThis earlier as thats also an Adware component,
http://www.trendmicro.com/vinfo/grayware/v...E=ADW%5FPOP%2EA
http://vil.nai.com/v...nt/v_134071.htm
So this may of caused some problems with the game she uses, if thats the case and she agreed to any terms and conditions when installing the game then it maybe easier to reinstall it from their site to make sure its not missing some files, the computer shutting down by itself though doesnt sound like a symptom of a missing file but hopefully more scans will reveal if there's any problems. You could also check your power settings to make sure its not set to shut down after a certain amount of time
Right click the desktop > click Properties > click Screen Saver > click Power at the bottom > then check the settings for the power scheme (Turn Off Monitor / Turn Off Hard Disks / System Standby / System Hibernates ), Click Apply and OK if you make any changes
Im not sure what could be causing the comcast problem especially if its only effecting that one site and no others but you could try their live support page here as they may of had similar reports of that happening or wait until the below steps are all completed and check if its still unable to connect to that site.
Quote
O23 - Service: El Paso Home Link PC Virus Check Enforcer (HLPCVCE) - Unknown owner - C:\HLPC\HLPC_Service.exe
You may want to print out these below instructions or save them to a notepad file for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://download.blee.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the on-screen instructions and reboot the computer when prompted. Your system may take longer than usual to load but this is normal.
Once the desktop loads please post the text that will open (report.txt) into your next reply.
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
- Click the Download now link on the right to download the program.
- Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
- Once the definitions are installed, disconnect from the internet.
- Click Options on the left side.
- Click the Sweep Options tab.
- Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
- Click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply.
Once in the Configuration panel, click Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
Please then post back the Uninstall list, the FixWareout log, Combofix log and SpySweeper log
Let us know if you have any problems
Thanks
#7 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 23 August 2007 - 01:49 PM
Quote
jasonhuf has just posted a reply to a topic that you have subscribed to titled
"Can somebody help me, please?".
----------------------------------------------------------------------
The HLPCVCE service was a program we used to use here at El Paso Corp to enforce antivirus policies prior to connecting to our network. It was written internally by a former employee and is no longer used or supported. If you look in the directory there should be an uninstall program, if not there is a command line option to do the same.
"Can somebody help me, please?".
----------------------------------------------------------------------
The HLPCVCE service was a program we used to use here at El Paso Corp to enforce antivirus policies prior to connecting to our network. It was written internally by a former employee and is no longer used or supported. If you look in the directory there should be an uninstall program, if not there is a command line option to do the same.
Hi Jason,
I got the above through an email notification but can see its been removed from this topic, Im not sure which Mod removed your reply but I wanted to post and say thankyou for the helpful Information
Cheers
Andy
