Websearchtv demons HJT text version

[-Cult-]

The websearchtv malware as I believe it his has decided to play hide and go pop up with my pc. So obviously I'm getting random popups every few minutes which is death when your playing an FPS. I ran HJT and logged it the attachment is below.

If anyone could please tell me whats the problem here I would be very grateful.

Thank you.

-W

P.S. just updated the HJT log after running full system scan with adaware, also ran spybot s&d.

 

[vhunter]

Try running scans with Ewido, Ad-Aware, and Spybot first. Your log file is so laden with spyware that I've given up looking for legitimate files and processes.

 

[howard_hopkinso]

Hello and welcome to Techspot.

First. Go and have your computer scanned HERE

Then. Go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Please edit your post, and remove the HJT.doc attachment. I won`t open a .doc because of the risk of infection.

HJT logs should be attached with a .txt extension.

Regards Howard :wave: :wave:

 

[-Cult-]

I tried to use the site you listed above, it failed to complete twice. I corrected the HJT log and put it into txt format. Just ran adaware and spybot before I ran hjt, so the log is about as clean as I can get it. I read the forums you listed and I think I just ended up getting more confused heh, if you get the time please read over it. Thanks in advance.

-W

 

[howard_hopkinso]

Can you please post a fresh HJT log. This is because for whatever reason, your last log wasn`t correct.

Regards Howard

 

[-Cult-]

Just did HJT again saved the file immediately afterwards, if this isn't "fresh" or whatever you refered to it as before, please explain how it isn't correct. Once again thank you in advance

 

[howard_hopkinso]

Boot into safe mode, and turn off system restore.

Go into add remove programmes in your control panel, and uninstall anything to do with these programmes(if still there)

C:\Program Files\Qxxi\Xvdblcc.exe

C:\Program Files\E2G\IeBHOs.dll

Open your task manager, and click on the processes tab. Select, and end process for the following(if there)

igps.exe
pgws.exe
ipresh.exe
esh_32.exe
Xvdblcc.exe
msupd6.exe

Then, run HJT with no other programme open, and let HJT fix the following(if there)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

O2 - BHO: (no name) - {08E9E33E-8C26-4295-422D-2DEA2E0AE98C} - C:\WINDOWS\system32\npcwaatv.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: (no name) - {740C2137-112A-327F-FE3E-2E653682D1B5} - C:\WINDOWS\system32\mniscseo.dll (file missing)
O2 - BHO: (no name) - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - (no file)
O2 - BHO: (no name) - {A657A4E7-FEBE-3718-7FB0-10E00102D71C} - C:\WINDOWS\system32\gjfepwmc.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_1ca2.dll"

O4 - HKLM\..\Run: [Tzlrsmmw] C:\Program Files\Qxxi\Xvdblcc.exe

O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0wao0o9s.dll] RUNDLL32.EXE 0wao0o9s.dll,b 1416234
O4 - HKLM\..\RunOnce: [1] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Baine\LOCALS~1\Temp\AcsUninstall.exe"
O4 - HKLM\..\RunOnce: [2] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Baine\LOCALS~1\Temp\AcsUninstallRes.dll"
O4 - HKLM\..\RunOnce: [3] C:\WINDOWS\system32\cmd.exe /c erase "C:\DOCUME~1\Baine\LOCALS~1\Temp\shfolder.dll"
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s

O4 - HKCU\..\Run: [ipresh] C:\WINDOWS\system32\ipresh.exe

O4 - HKCU\..\RunOnce: [ipresh] C:\WINDOWS\system32\ipresh.exe

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

Fix all 016 Dpf entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: cjjicjhastnx (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe (file missing)

Close HJT.

Now click start/run, and type services.msc into the run box, and press the enter key.

When the window opens, maximise it, and look for the above 023 service.

Double click it, and if it`s running click on stop. Set the startup type to disabled. Click apply/ok and close the window.

Now delete the following bold files(if there)

C:\Program Files\Qxxi\Xvdblcc.exe

C:\WINDOWS\system32\npcwaatv.dll

C:\Program Files\E2G\IeBHOs.dll

C:\WINDOWS\system32\mniscseo.dll

C:\WINDOWS\system32\gjfepwmc.dll

C:\WINDOWS\system32\sfg_1ca2.dll

C:\Program Files\Qxxi\Xvdblcc.exe

C:\WINDOWS\system32\igps.exe

C:\WINDOWS\system32\msupd6.exe

Empty all temporary folders for your user name. Empty all internet temp folders, and cookies.

Reboot into normal mode, and turn system restore back on.

Regards Howard

 

[-Cult-]

Thanks again, everythings running smooth as glass now.

-W