Still Showing Severval Problems

I follwed the intrustions in the READ ME FIRST thread and feel confidant I did everything right. However, I may be wrong!

When I now run Spybot I get the following....

coolwwwsearch - 3 entries
coolwwwsearch.boot conf - 6 entries
fastclick - 1 entry

Spybot will not fix "coolwwwsearch" .....a message appears reading,
"some problems could not be fixed - reason could be that the associated files are still in use (memory)"

Also, I still have the pesky "about blank" problem!
I ran the "Highjack this" but don't know how to read the log results.

I would appreciate any help.

Thank you!

 

After doing ALL of the TUTORIAL if you still have a problem send is a HJT log. I won't be around this morning but maybe someone else will show up and take a look at it. They have had success with your type of problem.

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Here's my Hijack log

 

Well at least the "DOS Exploit and Webdialer" appear to be gone!

So I guess something was accomplished!

 

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Weatherbug
Orbitexplorer
RealBar

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

CSTRAY.EXE
MINIBUG.EXE

Now scan with HijackThis and Check the Boxes for the following:

1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GPIM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9446F89B-8E05-11D9-9096-810354B9AB3B} - C:\WINDOWS\SYSTEM\GPIM.DLL
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE
O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRAM FILES\AWS\MINIBUG\MINIBUG.EXE 1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter: text/plain - {C023D123-8DDA-11D9-9096-BB4FBD55FE18} - C:\WINDOWS\SYSTEM\GPIM.DLL
O18 - Filter: text/html - {C023D123-8DDA-11D9-9096-BB4FBD55FE18} - C:\WINDOWS\SYSTEM\GPIM.DLL

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file and folders if they should remain:

C:\PROGRA~1\COMMON~1\REAL--->The Folder
C:\PROGRA~1\COMET---The Folder
C:\PROGRAM FILES\AWS--->The Folder
C:\WINDOWS\SYSTEM\GPIM.DLL

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Thanks so much!

I followed your last instructions and problems seem to be fixed!
I notice a big difference in performance already!
I am so grateful for your help!

I also attached my lastest Hijack log.

Thanks again,
Krewe

 

Your Welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

Use Firefox and get insulated against malware.
Unless I missed something you look clean.
Once everything seems OK be sure to turn System restore back on.

 

I noticed a few more things to address in that last log. If you want I will post a fix?

 

First:

Do you use QuickFlicks Streaming Player?


Second:

Please look in Add or Remove Programs for the following and Uninstall if found:

SVA Player



Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see any it, try to END it:

SVAPLAYER.EXE


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F1 - win.ini: run=hpfsched

O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE

O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\SVA Player ←–– Delete this whole folder!


NEXT:
Run CCleaner


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

The O2 line, I asked the user about because it was related to QuickFlicks Streaming Player and I wanted to make sure they didnt use it before I fixed that one. I was awaiting a response before I took action on that entry.

 

QuickFlicks Streaming Player.....

I have no idea what that is....but if I don't need it, let's get rid of it!!!

Thanks

 

I did it...removed it!

lastest hijack log is attached!

Thanks so much guys!

Krewe

 

Log is clean!

Are you experiencing any further problems?


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

 

I'm glad BJ and Chas picked up the stuff I missed. Be sure to do what BJ just told you and what I mentioned in #7 to prevent malware.