Solved

Hijacked by SearchPortalInfo

Posted on 2004-09-10
27
419 Views
Last Modified: 2010-05-18
I've been reading lots of answers for the browser  hijack issue.  Mine is a page that keeps coming up as the start page - searchportalinfo/sawaporn.   I've tried everything I've read, to no avail.  Here's my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:37:13 PM, on 9/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Nhksrv.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\The Sabre Group\Print32\OADP.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WLANSTA.EXE
C:\PROGRA~1\NORTON~1\vptray.exe
C:\WINNT\MMKeybd.exe
C:\WINNT\inet73kmd\services.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/sawaporn/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://inet-pac.sabre.com:81/sabre-proxy.pac
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKLM\..\Run: [nynwwvem] C:\WINNT\system32\iicuzsl.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PopupPopper Control Panel (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I've  tried checking the one in question that displays at the top.  But this doens't work. I've run adaware, spybot, with new loads, over and over.  Again to no avail.
Thanks for you help.
0
Comment
Question by:rangersf100
  • 13
  • 10
  • 4
27 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello rangersf100 =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

then close all Browser and explorer windows, and check these entries in Hiajckthis and click on Fix Checked !!
=======================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/sawaporn/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://inet-pac.sabre.com:81/sabre-proxy.pac
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKLM\..\Run: [nynwwvem] C:\WINNT\system32\iicuzsl.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
==========================================================================

Then Reboot ur system in Safemode and run the above tools to delete everything they detect !!
then Empty ur Temporary Internet Files and Cookies, and Empty the TEMP folder also !!

Reboot back in Normal Mode and now check if same problem or not ??
Post Back and Good Luck :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://inet-pac.sabre.com:81/sabre-proxy.pac
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
===================================================

Notice the above lines,,,, these are related to each other as u can see te "inet" thing
first i thought its related to ur reginal internet providor... but there is not any record on it....

so ONLY if u recognise then, u can leave them
and if u dont know abt these lines and "inet" thingy, then go on and Fix them :)
ok.... ??
0
 

Expert Comment

by:shelldannelley
Comment Utility
Okay, did all of this, now rebooting.  Obviously I have two computers here.
Now opening IE.  First time I open it -  YES!  Correct home page.  
Let me try again.....WE HAVE A WINNER.  
By the way, there was one of the lines I did recognize as my intranet script,
so I kept it.  

Thanks so much.   Now I'll see where to go to give you the points.
If you don't see them, please let me know the procedure.  This site is
a bit difficult to maneuver through.

Have a great weekend.
rangersf100
0
 

Author Comment

by:rangersf100
Comment Utility
It's now Saturday morning and all heck has broken loose.  The things I did last night, all the
checks and everything, has resulted in a bombardment of popup windows, despite my popup
killers being on.  It has now put folders in my favorites that relate to adult content.
The page that was replacing my home page at startup is still hijacking my browser.
So nothing worked after all.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
u used another account for urself.... that was not allowed.... ask a moderator in Support area to delete one of ur account !!

then post here the New and fresh log file,,,,,,, something was missed surely and that's why ur system is reinfected....
are u using any P2P program or any shareware type thingy ??
0
 

Expert Comment

by:shelldannelley
Comment Utility
I'm not sure what those are.
Sorry.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
rangersf100 and shelldannelley...... are u two separate persons... or one person using two separate accounts.... im sorry but im confusing here :-?
0
 

Author Comment

by:rangersf100
Comment Utility
Sorry for the duplicate account.  We are one and the same-somehow forgot about the old one.  I have sent an email asking to delete shelldannelley account.

Here is the latest logfile from hijack this.  By the way, I had just installed a windws critical update before this all happened.
dallasnews is what I want my home page to be.   Thanks again - rangersf100

Logfile of HijackThis v1.97.7
Scan saved at 12:29:19 PM, on 9/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Nhksrv.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\The Sabre Group\Print32\OADP.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WLANSTA.EXE
C:\PROGRA~1\NORTON~1\vptray.exe
C:\WINNT\MMKeybd.exe
C:\WINNT\inet73kmd\services.exe
C:\WINNT\system32\iicuzsl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://inet-pac.sabre.com:81/sabre-proxy.pac
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINNT\MMKeybd.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKLM\..\Run: [tsoreule] C:\WINNT\system32\iicuzsl.exe
O4 - HKLM\..\Run: [gfej] C:\WINNT\gfej.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PopupPopper Control Panel (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
 

Author Comment

by:rangersf100
Comment Utility
Sorry - one more thing.  I no longer get the home page searchportalinfo, but one of the spysweep things I installed keeps popping up and telling me that spyware is trying to change it - to searchportalinfo - and asks if I want to keep or restore.  I set to automatically use the one I want instead of changing to searchportalinfo.  But now the things I installed are as much of a nuisance as anything else.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [tsoreule] C:\WINNT\system32\iicuzsl.exe
O4 - HKLM\..\Run: [gfej] C:\WINNT\gfej.exe
================================

Fix these entries.... and from safemode delete this file
C:\WINNT\system32\iicuzsl.exe

Did u emptyied the Temp internet and TEMP files ??
reboot back and check ??
0
 

Author Comment

by:rangersf100
Comment Utility
Did this, rebooted, home page in browser went right to the searchportal.  I uninstalled nearly everything
the earlier message asked.  I am about to give up and reinstall the g.d. operating system. Sorry for my
frustration.  Is there some kind regscan entry or scanreg, where I can go back a few days and wipe all this out?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ok here is something interesting.... first have a look at these two thread with same searcportal startpage problem....

http://www.cybertechhelp.com/forums/showthread.php?p=262868#post262868
http://computercops.biz/postp296780.html

now can u see in their logs this [xp_system] thingy
this is common in the above two threads, and this is present in ur LOG also....
u said u recognise them, are u really sure ??

coz if u are not sure, then u have to fix atleast these three lines also....

F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe

what do u say now :)
0
 

Expert Comment

by:shelldannelley
Comment Utility
I used hijack this to "fix" the three above, plus searchportalinfo.  No luck.  Now my browser
starts at about:blank.  I will try what was suggested in the links above and update
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:shelldannelley
Comment Utility
Tried the second thread - the computercops, but I don't know what to do
after opening the register lite.   That advice doesn't take me far enough.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
first of all..... pllzzzzzz dont use two accounts in one question,,,,, =\

second.... ur browser now starting to about:blank,,, but what is the page, i mean its a search site page or just a blank page..... did u restarted after fixing all those entires in log file ??
0
 

Author Comment

by:rangersf100
Comment Utility
Sorry about the account thing.  I logged again under the rangers ID.   I did this time, so if it's showing under the other one then I don't know how to get around this.

I've been restarting after each time I try to repair from HijackThis.  I've been repairing in the safe mode.  The about:blank is totally blank.
Last time I rebooted and opened IE, it was back to searchportalinfo.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
u are confusing me to FULL Extent =(

once u are saying u are having about:blank
then u are saying last time i rebooted, it was back to searchportalinfo

dont talk abt the past problems..... plzz let me know abt the current problem
now the problem is about:blank or searchportalinfo ??

if its about:blank and if its a blank about:blank page then its not spyware or hijacking problem

just goto IE>Tools>Internet Options
and change ur homepage here
apply and now check if about:blank is again coming as homepage or not ??

and post here the fresh log, let me check what did u fix there ??
0
 

Author Comment

by:rangersf100
Comment Utility
You think YOU'RE CONFUSED??  haha.  Okay, the problem most always was the startup page was
searchportalinfo.  Then, after several fixes, it would startup with a blank page whose address was about:blank.
But I went in and did the easy fix - tools - internet options, changed the page.  That's what I always did until
I decided to really fix this thing.   So, after the last reboot, it responded with searchportalinfo.  It has brought up
this pag the past few times.  

So which is it?  It's both, but the about:blank was only coming up a few times.
Today, and the start of the problem yesterday, was searchportalinfo.
I want it to start up at http://www.dallasnews.com     It will do this for awhile, then go right back to searchportalinfo.

Latest hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 4:23:19 PM, on 9/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Nhksrv.exe
C:\PROGRA~1\NORTON~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\PROGRA~1\NORTON~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\The Sabre Group\Print32\OADP.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\inet73kmd\services.exe
C:\WINNT\system32\WLANSTA.EXE
C:\PROGRA~1\NORTON~1\vptray.exe
C:\WINNT\system32\iicuzsl.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/sawaporn/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://inet-pac.sabre.com:81/sabre-proxy.pac
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [tsoreule] C:\WINNT\system32\iicuzsl.exe
O4 - HKLM\..\Run: [gfej] C:\WINNT\gfej.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PopupPopper Control Panel (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
all JUNKS are still present on ur system as it was present,,,,,,, seems nothing is fixing.... !!
look at it....

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/sawaporn/
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\inet73kmd\services.exe
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [tsoreule] C:\WINNT\system32\iicuzsl.exe
O4 - HKLM\..\Run: [gfej] C:\WINNT\gfej.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet73kmd\services.exe
=======================

these are still present there happily,,,,, seems they were never Fixed ??
What can i suggest to do else,,,,
except fix them again...... then boot into safemode
DELETE these files

iicuzsl.exe from C:\WINNT\System32
gfej.exe from C:\WINNT
inet73kmd folder from C:\WINNT

after deleting these files manually, reboot back in Normal Mode, download this new version of hijakchtis >> http://tools.radiosplace.com/HijackThis.exe

run it and check if these lines have came back again or not ??
if YES then go and format ur system.... nothing is fixing on ur system =\
0
 

Author Comment

by:rangersf100
Comment Utility
when I try to delete I get a sharing file error saying the files are in use.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
but u will not find them in safemode to fix ??
do this, get msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html

run it and in Startup tab, click on Disable all
restart and dont connect to internet
now try to fix those lines ??
0
 

Author Comment

by:rangersf100
Comment Utility
wasn't in safe mode.  went to safe and deleted first and third.  but the gfej.exe from C:\WINNT
wasn't on my computer.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> but the gfej.exe from C:\WINNT wasn't on my computer.
leave it then

u have deleted the rest two files and have fixed those lines in hijakcthis....
so time to see the results..... go on, im waiting.....
0
 

Author Comment

by:rangersf100
Comment Utility
Okay, deleted in HT.  Closed browsers, opened back up, went to the correct page.
Rebooted, opened up and...

All good. Ran HT again, didn't see any of those files.
Okay, I think I can stop bothering you.  Many thanks for all your help.
If it happens again I'll just repeat all these steps.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
so the net results is..... those services.exe thingy was the culprit =\

PHEW !! what a hectic procedure it was.... glad u have got it solved now :)
sorry if u found me a little frustated in between.... but this one really baffled me :-S
0
 

Author Comment

by:rangersf100
Comment Utility
Don't worry a bit.   You were very patient.  That about:blank thing is odd.
I didn't realize it's an actual setting in IE.  I thought it was another hijack.
But it was getting hijacked somehow as well, evidently.  Well, this may be
one for the text books.

Thanks again.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
well about:blank is just a Blank page....
if u will goto Tools>Internet Options>and hit Use Blank under homepage setting
u will notice about:blank written there

the problem if hijacking arises when this about:blank takes u to a different site, mostly a search engine or junk sites u know =\
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

After uninstalling Opera browser (for example ver. 10.63), your attempts to open a web page by clicking on a URL link may fail with an error message.  The error is "This operation has been canceled due to restrictions in effect on this computer. Ple…
Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now