Help with cxtpls please (hijackthis log posted)

By miniboot
Feb 10, 2005
Topic Status:
Not open for further replies.
  1. I've cleaned this old Win ME system countless times over the past few weeks, but a few days after I clean it, the spyware comes back. The two culprits are 'autoupdate' and 'cxtpls'. I think (hope) the reason they were coming back is that I didn't turn off system restore, so hopefully now I'm clean as I turned it off before running adaware this time. I've also just installed all the Windows Updates.

    Here's my logfile, please let me know if there's anything I've missed.

    Thanks for your help

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You are not clean by a long way!
    And I am not sure if I should help you at all! You don't even have any Antivirus or Antispyware on that PC!
    Makes me wonder how you got away with that.

    Download and install Adaware and Spybot from the links in this post: http://www.techspot.com/vb/topic17297.html
    Install an Antivirus program. A good free one is e.g. AVG from www.grisoft.com
    Once installed, update all those programs regularly, so you always have the latest definitions.


    Boot in Safe Mode
    Switch Off System Restore

    My advise: UNinstall all those toolbars! You got Google, MSN, Yahoo, why? All they do is clutter your PC.

    Press ctrl/alt/del and in Taskmanager try to STOP:
    LOADQM.EXE
    WINAMPA.EXE
    IR5OLE32.EXE
    IOSIL400.EXE
    CP32NBTN.EXE

    Next, try to UNinstall anything to do with:
    C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE

    Next, run Hijackthis on its own and let it 'fix' (if still there):
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\IR5OLE32.EXE
    C:\WINDOWS\SYSTEM\IOSIL400.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.120.75.136:80
    O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [rs8V36X] IR5OLE32.EXE
    O4 - HKCU\..\Run: [aBr9RWbmX] IOSIL400.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://welcome.hp.com/country/uk/eng/welcome.htm
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Clean your Temp directory, you temp. internet files, all your cookies etc.
    Boot back in normal.
    If all is OK, switch on System Restore if you like.
  3. miniboot

    miniboot Newcomer, in training Topic Starter

    Thanks very much RealBlackStuff. I installed McAfee, ran AdAware, Spybot, and didn't find any of the files you emboldened above. I did read through your other topic, however (topic17297.html)
    and saw that you recommend to fix a lot more than you told me to fix in this post (I.e. all the O4 - HKLM...\Run processes). Should I also fix all them, or is that just for users who are having the coolwebsearch problem?

    Thanks

    - Andrew
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    If you read that post again, you saw:
    Fix ANY of these O2, O3 and O4, they are guaranteed BAD, whack them: :knock:

    I will change that to have the specifics directly before the numbers O2, O3 and O4.
    The programs in there are ALL known evil-doers. My text should perhaps read: If you have any of these, fix them.
    I will change that asap, but the problem is the size-limitation of the post (max 10'000 char.) that's why I had to 'skimp' on full lines.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.