Please help!! hijackthis log posted

[faithfulfly]

I've started getting these annoying pop ups. I've ran various spyware tools to remove the problem but none of it is working. here is a copy of my hijackthis log. Please help me out. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:59:47 PM, on 2/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\Q8VBYBPV\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joecustoms.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ELNIE.DLL
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart

[CTSNKY]

I don't think you posted your entire HJT log here. Please try again and make sure you copy/paste it all for us.

Thanks.

[faithfulfly]

That's the entire log. I'm not sure what's wrong with the computer. I keep getting pop ups that are posing as updates and spyware warnings. My wife messed around with the computer for a little while and seemed to have fixed it. Then just a moment ago I hit the homepage button and about:blank came up and then the pop ups came back ><

[CTSNKY]

Hmmmmm.......OK, then give us a fresh version of the log now.

Let's also use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

[faithfulfly]

It seems to be getting worse. The computer won't let me run tds-3. I've downloaded it but it won't open up for me. I used spybot and it showed me these 2 things: Coolwwsearch.leftovers, Coolwwwsearch.AllCyberSearch. They keep coming back even after spybot says there fixed. My cws shredder or hijackthis won't run anymore either. It seems the pop ups are increasing and it keeps changing my homepage around too. This thing has me so mad!

[CTSNKY]

Try running all of those programs in Safe mode.

Here's a link on how to get into Safe mode:

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

[faithfulfly]

TDS will not run in Safe Mode, either. (TDS begins to open (hourglass), but then stops as if something were canceling it.) However, Hijackthis was able to run. Here is the log from it:


Logfile of HijackThis v1.97.7
Scan saved at 5:30:09 PM, on 2/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\TDS3\TDS-3.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ND2B3Y7B\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ELNIE.DLL
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {5FB1BA91-8519-11D9-B6B6-0030EEF5F59E} - C:\WINDOWS\SYSTEM\EBLOC.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart

[CTSNKY]

You ran the older version of HJT, FYI. Please use version 1.99.1 next time. Thanks.

=============

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5FB1BA91-8519-11D9-B6B6-0030EEF5F59E} - C:\WINDOWS\SYSTEM\EBLOC.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\EBLOC.DLL

Run CleanUp! again.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[faithfulfly]

CleanUp was able to run on the computer, however, hijackthis is no longer running in safe or regular mode, norfrom permanant (saved) or temporary files, from the link on this site or any other, from the hard drive or from a floppy disk.

Upon trying to run Hijackthis, a prompt screen flashes up with the option to open, saved, etc., but disappears immediately. the few times I have managed to click anything before it closes, the hourglass shows, lights flash, and then nothing ever happens. On other attempts, a message saying "Hijack This Unexpected Error" appears.

Is something on the computer preventing Hijackthis from running? If so, how can this be bypassed?

[CTSNKY]

There have been some reported issues running the newest version. Here's a link to the version just before this one, but newer than 197.7 that you ran last time. Try using it:

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis1982.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

[faithfulfly]

No such luck with Hijackthis 197.7, either "Unexpected Error" what could be causing this?

[faithfulfly]

Finally, hijackthis ran, about buster ran, no signs of about:blank files in hijack log, and here is AboutBuster log:

Scanned at: 12:49:37 AM on: 2/25/05


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!




(Assuming this log means that the problem is fixed (or at least not detectable right now)?

Popups are gone and Homepage has reverted to the one we set. Hopefully, it will stay that way.

Thanks for the help!!