IE Problem - Please Help!!

[yaduks]

Hi,

it seems ever since i accidently lowered my security settings on IE when i was haveing Java problems on a website something has embedded itself on my PC and i can't find it to remove.

I like playing poker and casino software online. I have noticed two problems now when i'm on the internet:

1) When i go to a URL which includes the words "Poker" i automatically get routed to an unwanted URL

2) The same happens with the word "casino" but i get routed to a different URL.

Because my laptop is the property of my employer, i approached them to advise on spyware removal and they installed and ran a program which removed various programs but has not solved the problems above.

Can anyone help me please?

thanks,

yaduks.

 

[RealBlackStuff]

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Then see How to post your Hijackthis log-files.

 

[yaduks]

Thanks for the info.

I think i have another problem now in that when i try to access safer-networking i get directed to adwareremovergold.

Is this evidence of another infection?

What i do notice when on my URL line before the adware link comes up is reference to res://C:\WINNT\system32\shdoclc.dll/navcancl.htm

Could this have something to do with problem? Any suggestions?

thanks,

yaduks.

 

[Powelly]

Spyware

Seems to me that your computer is full of spyware. I had this trouble when i connected to microsoft for updates.

Try Spyware blaster, adaware, spyware sweeper and see if that helps

 

[RealBlackStuff]

Get a friend to download those programs for you and burn them on a CD or copy them on a USB-memorystick.
Even just following the HJT-advise in my post (and running it) should get you on your way to do the rest.

 

[yaduks]

Ok, so i've done the hijackthis file (attached). I then ran CWshredder, that came up with no problems.

I read through the instructions for removing common hijackthis rotters but not 100% sure if what i'm doing is correct. Would appreciate someone to look at this file.

thanks,

yaduks.

 

[RealBlackStuff]

Boot in Safe Mode
Try to UNinstall anything to do with this crap:
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\tioga\client\bin\tgcmd.exe
C:\apps\supportcom\bin\tgfix.exe

Next, press ctrl/alt/del and try to stop these processes:
msupd5.exe
regsvc.exe
mgbrvhyi.exe
tgcmd.exe

Next, run HJT on its own and 'fix' (if still there):
C:\WINNT\system32\msupd5.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\mgbrvhyi.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {19465EEA-66ED-9DD5-4C60-836C3AF45C0D} - C:\WINNT\system32\cfcbvxva.dll
O2 - BHO: (no name) - {C34ACC26-C638-0FDD-BC9D-A3857A1CFB08} - C:\WINNT\system32\ufzyblth.dll
O4 - HKLM\..\Run: [Tgaddsrv] "C:\apps\supportcom\bin\tgfix.exe" /fds http://nam.mydexa.com/opssupport
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [mgbrvhyi] C:\WINNT\system32\mgbrvhyi.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1029.dll,InstantAccess
O4 - Global Startup: cp_lawsonprod.bat --->>> you decide <<<---
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .ext: C:\Program Files\Internet Explorer\PLUGINS\npradia.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hub.slb.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/36yf30fg.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1029_EN.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyclick.com/Download_Helper/fsloader_v3.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eur.slb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B2D6404-F5C0-4950-9D2E-D801E1813733}: NameServer = 134.32.125.3,134.32.26.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eur.slb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eur.slb.com
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

 

[yaduks]

seems to have done the trick. I can now access the correct web pages.

Many thanks!

yaduks