Twink64.exe

[oogie boogie]

Thanks again !!

Everything worked a treat, my machine's back up to speed and all in the garden's rosy.

Cheers and Merry Christmas

Oogie

 

[Rugrat]

Twink64...Again

Hi again. I posted a Hijackthis log back on 12/13/04 and have not had any help with my problem. I have read past posts and have seen how so many people were helped here but there hasn't been a single response to my request. Can't anyone help me here?

Thanks for everything.

 

[RealBlackStuff]

Rugrat

With so many posts from so many people all in one thread it is easy for one to go amiss.

If your HJT is still current go here first
How to remove Begin2Search / Coolwebsearch
and follow the instructions EXACTLY

When you have done all that, boot in Safe Mode:

UNinstall anything to with (if still there):
C:\Program Files\NetZero\
C:\WINDOWS\system32\dla\
C:\Program Files\NetZero

Then run HJT on its own and let it "fix":
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\?hkdsk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {4222D7FD-1608-46A8-B892-ED2B7DD4ACC5} - C:\WINDOWS\System32\fkccc.dll (file missing)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [Pnemliu] C:\WINDOWS\System32\?hkdsk.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com

When done, DELETE anything in these directories, including the directory itself (if still there):
C:\Program Files\NetZero\
C:\WINDOWS\system32\dla\

If you want a downloader, go to www.stardownloader.com and d/l Stardownloader. It is virus- and ad-free AND free.

 

[Rugrat]

Thank you

Thank you so much for guiding me in what to do. I wasn't watching too much over the holidays because I had another machine I could use, but I really appreciate your response, better late than never! I understand the whole "so many posts" issue so want you to know how much I really do appreciate your help. I will follow all your instructions and let you know the results.
Thanks again!

 

[francis]

Dear Black!! I have this problem too... can you help me look at my hijack file!!

Please help me...
I have attached my hijack log.

MANY THANKS!!!

 

[francis]

I have solved the problem!!

Thanks everyone!!! This forum is Extremely Good!!!

Especially Black!!

 

[RealBlackStuff]

Re-post your log as hjt.txt
We won't open ANY .doc files for infection-reasons.

 

[francis]

Oh no!!!

As you can see I thought my system was ok... but after 2 days of normal operation.... my system faced the same problems of popups again!!!

Please help me check my logfile.... Many thanks to those who can help me!!!

 

[RealBlackStuff]

Francis

You really should install SP4 and then do all the around 30 updates available on MS-update website!

Go to my post here first and follow the instructions EXACTLY
How to remove Begin2Search / Coolwebsearch

The following instructions may not all apply anymore, if Adaware and Spybot have eliminated them already.
In case not:

Reboot in Safe Mode

If you can, uninstall anything to do with:
C:\Program Files\ISTsvc\istsvc.exe

Press Ctrl/Alt/Del, select Task Manager, Process tab.
Try to Stop all these first (and delete them after HJT has run):

frxhser.exe
frxhapp.exe
intrenat.exe
rlmksem.exe
winsb.exe
tss.exe
internetmgr.exe
winlogon32.exe
cxib.exe

Now run HJT on its own and let it "fix":

C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe
C:\WINNT\intrenat.exe
C:\WINNT\rlmksem.exe
C:\Program Files\ISTsvc\istsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imcb.a-star.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.imcb.a-star.edu.sg
F0 - system.ini: Shell=explorer.exe C:\WINNT\winsb.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\winsb.exe
O2 - BHO: (no name) - {CBEFB350-ED5B-4115-B846-C1041676B388} - C:\WINNT\System32\MyIE.dll (file missing)
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [Intrenat] C:\WINNT\intrenat.exe
O4 - HKLM\..\Run: [tapisys] C:\WINNT\System32\tss.exe
O4 - HKLM\..\Run: [SystemRequred] C:\WINNT\System32\internetmgr.exe
O4 - HKLM\..\Run: [winlogon] C:\WINNT\System32\winlogon32.exe
O4 - HKLM\..\Run: [regcheck] C:\WINNT\winsb.exe
O4 - HKLM\..\Run: [1L42UN] C:\WINNT\rlmksem.exe
O4 - HKLM\..\Run: [cxib] C:\WINNT\cxib.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Intrenat] C:\WINNT\intrenat.exe
O4 - HKCU\..\Run: [tapisys] C:\WINNT\System32\tss.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.imcb.a-star.edu.sg
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg

Delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

 

[francis]

Currently no problem

I have cleared using spybot, adaware plus XoftSpy406 to scan and manually clear. Also I have used symantec anti virus to clear too. Plus I have used HJT to clear those files that are highlighted... Also I have searched the google on all suspicious files since the date I got this problem, and discovered some fixtool from symantec to fix them.

And apparently the system is ok now... but I am not so sure yet... so I have posted my logfile for you to check...

Thank you very much!!

 

[RealBlackStuff]

Francis

You did not follow the instructions!
And do NOT mix some effing Symantec cleanup with my instructions, if you know what is good for you!
Also, throw that XoftSpy406 away.

Run HJT again in Safe Mide and let it "fix" these:
C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imcb.a-star.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.imcb.a-star.edu.sg
O14 - IERESET.INF: START_PAGE_URL=http://www.imcb.a-star.edu.sg
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = imcb.a-star.edu.sg

Delete the two frxhxxx.exe programs.

All you need are the programs from my thread, plus an Anti-Virus program (preferably NOT from Symantec/Norton).

 

[thedude88]

i am having trouble with the twink

i am having a problem with that twink beast and i dont know exactly what to delete when i ran hijack this. I want to post my log but i cant seem to change it to a .txt file. if anyone could help it would be great.

disregard my last post i realized how stupid a mistake i had made. Well anyway here is my log and if anyone could look at it and tell me what to delete or atleast some of the things that would be great. Any help would be appreciated. Thanks.

 

[RealBlackStuff]

thedude88

First of all, go to my post here and follow the instructions EXACTLY. You are also using an outdated version of HJT.
How to remove Begin2Search / Coolwebsearch
And DON'T use IE anymore.

After you have followed these instructions, come back with a new hjt.txt file as attachment.

 

[thedude88]

thanks, but i still have questions

i did what you said to do and it turned out that i didnt have the cool web search thing. When i would run the cwshredder it would tell me that i did not have (V1/V2). then i ran spybot and adaware like you said but when i came to running hijack this i still got those 010. i dont know why. when i ran spybot a second time it got nothing but yet i still had those 010. Here is my log. i am not sure why there are numerous internet explorer processes, seeing as i use firefox.
thanks for all your help and any more would be appreciated.

 

[RealBlackStuff]

The instructions clearly state:

HJT can NOT Fix these O10: See note below about LSPFIX
O10 - Broken Internet access because of LSP provider 'xxxx.dll' missing
O10 - Unknown file in Winsock LSP: c:\winnt\system32\xxxx.dll

Go back to my thread and do the LSPFIX. It will probably clear the IE-multiplicity.

 

[thedude88]

did that but still get ie multiplicity

sorry about not seeing the lspfix. i must have overlooked it. I ran that and got rid of the 010. When i restarted i normal mode i still got those IE in my processes. I can end the process and it wont come back but when i restart my computer they are back. I dont know why but i checked msconfig and all there was was a microsoft check for current version run. Thank you for all your help. I will post my new log to see if there is anything else. i was also wondering what version of hjt was the newest one. I will look and see if i can get it. Thanks.

 

[RealBlackStuff]

Have a look at this post, at the entries from test
http://www.anetforums.com/posts.aspx?ThreadIndex=28956