Homepage hijack Athlon

Since I've pretty much stablized my hp. I need further assistance on getting my athlon up and running.

We cannot get on line. I went throught a troubleshooting session with comcast. It is not comcast nor the router.

We are getting that omegasearch trying to access the internet, but page cannot be displayed.

THus far, I have run spybot, hijackthis, adware &spyware blaster.

This is the lastest log file from hijackthis on the athlon. I'm ready for round #2. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 6:55:14 AM, on 3/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PlanCashDart\safelist.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll

 

You need WinsockFix.

 

Fix the 010 entries, apply the WinsockFix. Search the computer for New.net and WebHancer. Look in add/remove. Get rid of any you find.

 

Check this MSKB Article.

 

Thanks Dave, you sure are giving me an education!

I downloaded the winsoxfix to my shared folder. I did not unzip it. I will unzip it at the athlon.

You didn't tell me if you wanted me to post a new log after I followed these processes. May I?

 

Sure.

 

Ok, I unzipped and ran winsockfix. This has now enabled the athlon to get back on the internet and we finally got rid of the omegasearch that kept coming up.

Here is the latest log file on the athlon. I hope that's ok.

Logfile of HijackThis v1.97.7
Scan saved at 2:56:25 PM, on 3/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PLANCA~1\safelist.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
\Phyllis\hijackthis\HijackThis.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Browse Error] C:\PROGRA~1\PLANCA~1\safelist.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)

I tried to get this of that brose error planca-1 but can't seem to.

 

From my notes

Probaly could have been fixed by reinstalling those games
that use it (maybe needed by Xfire)anyway it apperently need to be fixed, for connectivity.

You mentioned omegasearch , thats one of the domains the coolwebsearch uses, doesnt nessesaraly mean its a coolwebsearch infection, but certainly is reason for concern.
are you possitive its gone ? how did you get rid of it?

Post the entire log all the way from the header info at top down to 0-16's 17 and soemtimes 18's

what is this program ? sounds fishy.
C:\PROGRA~1\PlanCashDart\safelist.exe

I dont uderstand the last remark , explain further please
Regards
Lonny

 

Herei s the latest log on the athlon. I don't know I've noticed things here are better but Idid run into that omegasearch home page taking over again

Logfile of HijackThis v1.97.7
Scan saved at 6:35:01 PM, on 3/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PLANCA~1\safelist.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Browse Error] C:\PROGRA~1\PLANCA~1\safelist.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

I was talking about what you pointed out only I mispelled it. The 04-...[browse error] I don't know what that is.

 

Are you able to identify the Planca? Another game? What is the full name on the folder? From what I've been able to find, it looks to be associated with a sound effects program. All I see besides that to fix would be;

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

They aren't needed at startup, and the Planca may not be. Disable it from msconfig and end process on it in task manager to see if it bothers anything. While in msconfig, uncheck this item;
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe

Empty all TIF's and delete cookies. Do a disk cleanup like this;(I hope it works in 2000 ) start>run and type cleanmgr sageset:1, enter. Check all but compress old files and OK. Then start>run and type cleanmgr sagerun:1, enter.
Reboot and see how things act.

 

We don't know what that file is. When you say to remove them you are talking about running hijack correct? Or am I going through to msconfig to disable at start up? The Xfire is something he uses either for instant message his clan members for battlefield (I think).

The Athlon is running well. He can play his battlefield 1942 & vietnam without any problems (graphics/video/lag). I'm still having the printing problem which I am attempting to fix in the appropriate forum. The HP is having problems with these games so I'm posted there as well (as you know).

I feel like I should have at least earned a of degree after all this I'm going to make them read all this stuff I have printed out about the various security measures and spyware programs that I have installed this weekwith your help. They will have to learn about the security to run and play their games so this doesn't happen in the future. I don't think I could live through another week like this : Thanks so much.

 

Hi again

Well the uncoolwebsearch is not always visible in a log. so since you saw ( I think) omegasearch again run SWCredder heres how.
Downloadand Unzip and run Cwsredder Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
If you already have it, just download another copy and overwrite the old one..
To ensure its the latest version, currently CWShredder v1.53.4 as of 2:07 AM 3/25/2004

Reboot


I vote fix these and see what happens. they can always be put back, if memory serves win 2000 doesn't have msconfig, but one of the forum members can link you to it or a startup tool if you want one,, in other words don't get in the habit of using hijackthis as a startup tool. please.

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [Browse Error] C:\PROGRA~1\PLANCA~1\safelist.exe

Reboot come back then scan with and post a hijackthis log

 

I learn something every day on this board!

I found this MSKB Article that should help.

What is the full name of the planca folder? Look inside for a readme.txt that might give some clues. The xfire doesn't need to startup at logon to work, thus the recommendation to disable.