Help with cxtpls please (hijackthis log posted)

Status
Not open for further replies.
M

miniboot

I've cleaned this old Win ME system countless times over the past few weeks, but a few days after I clean it, the spyware comes back. The two culprits are 'autoupdate' and 'cxtpls'. I think (hope) the reason they were coming back is that I didn't turn off system restore, so hopefully now I'm clean as I turned it off before running adaware this time. I've also just installed all the Windows Updates.

Here's my logfile, please let me know if there's anything I've missed.

Thanks for your help
 

Attachments

  • hijackthis.txt
    7.1 KB · Views: 8
You are not clean by a long way!
And I am not sure if I should help you at all! You don't even have any Antivirus or Antispyware on that PC!
Makes me wonder how you got away with that.

Download and install Adaware and Spybot from the links in this post: https://www.techspot.com/vb/topic17297.html
Install an Antivirus program. A good free one is e.g. AVG from www.grisoft.com
Once installed, update all those programs regularly, so you always have the latest definitions.


Boot in Safe Mode
Switch Off System Restore
My advise: UNinstall all those toolbars! You got Google, MSN, Yahoo, why? All they do is clutter your PC.

Press ctrl/alt/del and in Taskmanager try to STOP:
LOADQM.EXE
WINAMPA.EXE
IR5OLE32.EXE
IOSIL400.EXE
CP32NBTN.EXE

Next, try to UNinstall anything to do with:
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE

Next, run Hijackthis on its own and let it 'fix' (if still there):
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\IR5OLE32.EXE
C:\WINDOWS\SYSTEM\IOSIL400.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.120.75.136:80
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [rs8V36X] IR5OLE32.EXE
O4 - HKCU\..\Run: [aBr9RWbmX] IOSIL400.EXE
O14 - IERESET.INF: START_PAGE_URL=http://welcome.hp.com/country/uk/eng/welcome.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Clean your Temp directory, you temp. internet files, all your cookies etc.
Boot back in normal.
If all is OK, switch on System Restore if you like.
 
Thanks very much RealBlackStuff. I installed McAfee, ran AdAware, Spybot, and didn't find any of the files you emboldened above. I did read through your other topic, however (topic17297.html)
and saw that you recommend to fix a lot more than you told me to fix in this post (I.e. all the O4 - HKLM...\Run processes). Should I also fix all them, or is that just for users who are having the coolwebsearch problem?

Thanks

- Andrew
 
If you read that post again, you saw:
Fix ANY of these O2, O3 and O4, they are guaranteed BAD, whack them: :knock:

I will change that to have the specifics directly before the numbers O2, O3 and O4.
The programs in there are ALL known evil-doers. My text should perhaps read: If you have any of these, fix them.
I will change that asap, but the problem is the size-limitation of the post (max 10'000 char.) that's why I had to 'skimp' on full lines.
 
Status
Not open for further replies.

Similar threads

D
Wifi suddenly stopped working but ethernet works
Replies
1
Views
469
learninmypc
learninmypc
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
465
eriksnyman1
E
B
Help with "special permissions" please
Replies
1
Views
511
Nelson28
N

Latest posts

Back