Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

ScrapSilicon · Oct 8, 2004

Originally posted by: Schadenfroh

Originally posted by: ScrapSilicon

Originally posted by: Schadenfroh

Originally posted by: ScrapSilicon

Originally posted by: Schadenfroh

Originally posted by: poster
Thanks for the help Schadenfroh, it seems to be working so far, and things seem faster. I'm not able to get into Hotmail though, and my friend's going o want to do that. I can get the login page, but after I type in my info I get a "page cannot be displayed" error. I've got IE set to medium seciurity settings with no luck, any ideas??

Click to expand...

might have something wrong with your hosts or ie restricted zones. does it load in firefox?

Click to expand...

msn messenger service/hotmail ..most likely a bug of some sort..i.e. ..a browser hijack..has he run spybot and spywareblaster yet..?

Click to expand...

see if winsockfix fixes it

Click to expand...

O4 - HKCU\..\Run: [wccapp] c:\documents and settings\enduser\desktop\winlqt.exe
?

Click to expand...

i cant find any results on google on that key, get rid of it

its from poster's hijackthis log..was querying him about it ..just wondering about it and I've not seen too many have a username acc't as "enduser" ...

Schadenfroh · Oct 8, 2004

Originally posted by: ScrapSilicon

Originally posted by: Schadenfroh

Originally posted by: ScrapSilicon

Originally posted by: Schadenfroh

Originally posted by: ScrapSilicon

Originally posted by: Schadenfroh

Originally posted by: poster
Thanks for the help Schadenfroh, it seems to be working so far, and things seem faster. I'm not able to get into Hotmail though, and my friend's going o want to do that. I can get the login page, but after I type in my info I get a "page cannot be displayed" error. I've got IE set to medium seciurity settings with no luck, any ideas??

Click to expand...

might have something wrong with your hosts or ie restricted zones. does it load in firefox?

Click to expand...

msn messenger service/hotmail ..most likely a bug of some sort..i.e. ..a browser hijack..has he run spybot and spywareblaster yet..?

Click to expand...

see if winsockfix fixes it

Click to expand...

O4 - HKCU\..\Run: [wccapp] c:\documents and settings\enduser\desktop\winlqt.exe
?

Click to expand...

i cant find any results on google on that key, get rid of it

Click to expand...

its from poster's hijackthis log..was querying him about it ..just wondering about it and I've not seen too many have a username acc't as "enduser" ...

thanks for pointing that out, user accounts can be named just about whatever they want to name them, but yeh, i overlooked that entry, do remove it, poster

poster · Oct 8, 2004

Hey again.

Firt of all, sorry about the confusion about my name, when I first joined here I was trying to solve a frustrating issue with my rig and wasn't feeling too creative. As far of the 'enduser' thing, it's odd, but I don't think this is a brand new computer. There's no way my friend could have screwed it up this bad after only having it a few days. FutureShop may actually be a bad place to buy a computer, but I dunno if he knows this.... I could swear this is a return item someone else ruined and took back.....

O4 - HKCU\..\Run: [wccapp] c:\documents and settings\enduser\desktop\winlqt.exe has already been killed, I didn't find it in Google either so I zapped it.

I still can't get on Hotmail after the login page, in fact I'm having troubles getting the post window here to launch sometimes. I used my XP CD to uninstall IE, but it's not even gone, just the Desktop icon deleted..

I don't have firefox on here Shadenfroh, I'm using someone else's computer so I'd like to just use IE if I can. I'd actually prefer to format the durn thing, but I have a regular XP CD for my homebuilt PC, not a restore disc and I'd be afraid of what HP 'features' would stop working.

No luck with winsockfix, I'll try the other two programs, but wouldn't we have already killed the bad startup stuff using HijackThis?

Fatdog · Oct 8, 2004

Hi,

Would you mind taking a look at this log from a co-workers home PC. They ran Ad-aware/Spybot S&D 1.3 and there's still a few things running wild in there.

Thanks in advance.

Logfile of HijackThis v1.98.2
Scan saved at 9:01:50 PM, on 10/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bpttak.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\DOCUME~1\Karen\LOCALS~1\Temp\svcmm32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\HiJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {E8A39625-B6BE-1D18-1BE0-EDB00316FA68} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Karen\LOCALS~1\Temp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uzpkie] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...c48e2e58a29296baabe1d6
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdl...cabs/FPDC_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_down...staller/dwnldr_ext.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab

poster · Oct 8, 2004

Regarding my last post above, in addition to not getting into Hotmail I'm also having problems getting the Windows Update installer/scanner dealy thing to load. So whatever the issue is here, it's killing Hotmail and the install Window of Windows Update. I'm hoping to return this thing to him today in a few hours, hope I can get this resloved soon. Please help if possible! I've run Spybot and Spyware Blaster but no luck.

I did some cmd.exe tricks that a site recommended and got a little farther with Windows Update, I'm getting error number 0x8009200D on their site now. Couldn't find much about it in google.

Schadenfroh · Oct 8, 2004

Originally posted by: poster
Regarding my last post above, in addition to not getting into Hotmail I'm also having problems getting the Windows Update installer/scanner dealy thing to load. So whatever the issue is here, it's killing Hotmail and the install Window of Windows Update. I'm hoping to return this thing to him today in a few hours, hope I can get this resloved soon. Please help if possible! I've run Spybot and Spyware Blaster but no luck.

I did some cmd.exe tricks that a site recommended and got a little farther with Windows Update, I'm getting error number 0x8009200D on their site now. Couldn't find much about it in google.

post a new hijackthis log, i dont know whats wrong, apparently the spyware damadged IE, you cant uninstall it and reinstall it. im sorry, i dont know, you can undo everything the spyware removal tools did with hijackthis if you think you accidentally deleted something critcal.

poster · Oct 8, 2004

Here ya go. Followed the directions here http://www.jsiinc.com/SUBQ/tip8400/rh8430.htm to fix the hotmail problems, but it didn't solve the Windows Update thing.

The Log:

Logfile of HijackThis v1.98.2
Scan saved at 11:05:06 PM, on 10/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\enduser\Desktop\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/downl...gerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{456A99EB-9946-491C-89A7-8A2B8434CF1F}: NameServer = 142.177.1.2 142.177.129.11

Schadenfroh · Oct 8, 2004

poster, try fixing this

O17 - HKLM\System\CCS\Services\Tcpip\..\{456A99EB-9946-491C-89A7-8A2B8434CF1F}: NameServer = 142.177.1.2 142.177.129.11

if it does not fix it, restore it from a backup, it might be something put in there by his place of work or himself or it could be malicious, see if it works after removing it.

poster · Oct 9, 2004

I'm not sure, but I think that line is put there by our ISP. I use Aliant and so does he, and but of us have that line or something similar that will not stay deleted. The IP looking number is identical. Once you reconnect to the net it's back. I'm able to connect to Hotmail with it now so I think he'll be happy with it. It's a lot faster, and there's no ad/spyware installed. Plus Adaware and Spybot are on there now instead of the crappy adware causing programs from before. Thanks for your help on all this, I'll tell him that's it for now unless he wants a clean install.

InlineFive · Oct 9, 2004

Logfile of HijackThis v1.97.7
Scan saved at 7:36:33 PM, on 10/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\name\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {480FD7B8-9C94-4598-144C-7C3EDF5DB036} - C:\WINDOWS\system32\ntjy.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [sysdm.exe] C:\WINDOWS\system32\sysdm.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\baywu.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Rals] C:\Documents and Settings\name\Application Data\part.exe
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
O4 - HKCU\..\Run: [Hitbyuef] C:\WINDOWS\System32\l?gonui.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O12 - Plugin for .php3: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://971.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...ec2e9d584f880889783bc3
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com...e/cabs/director/sw.cab
O16 - DPF: {2A7B6B89-2498-54EC-DDA3-2400070A2A68} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/S...ent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/189886f16...06/netzip/RdxIE601.cab
O16 - DPF: {6BE4FFCE-65BC-622D-E09E-34C01BBAC548} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {79D0C416-419F-5DC9-1CBE-27B541612128} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/S...t/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.c...cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

i dont know what all of this means so i hope you can help

Schadenfroh · Oct 9, 2004

Hello PorBleemo,

Before you do anything
1. Upgrade to the latest version of Hijackthis
2. Download, but do not run yet, About:Buster.
3. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
4. Disable system restore, malware can come back through it.
5. Reboot into safe mode.
6. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xyskh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {480FD7B8-9C94-4598-144C-7C3EDF5DB036} - C:\WINDOWS\system32\ntjy.dll (file missing)
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [sysdm.exe] C:\WINDOWS\system32\sysdm.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\baywu.exe
O4 - HKCU\..\Run: [Rals] C:\Documents and Settings\name\Application Data\part.exe
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
O4 - HKCU\..\Run: [Hitbyuef] C:\WINDOWS\System32\l?gonui.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://971.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...ec2e9d584f880889783bc3
O16 - DPF: {2A7B6B89-2498-54EC-DDA3-2400070A2A68} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/189886f16...06/netzip/RdxIE601.cab
O16 - DPF: {6BE4FFCE-65BC-622D-E09E-34C01BBAC548} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {79D0C416-419F-5DC9-1CBE-27B541612128} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Additional Steps

1. Run About:Buster
2. Clear your Temporary Files
3. Remove the following VIA instructions provided:
[*]DELF.DS Trojan
[*]WildTangent Adware
[*]180Solutions Adware
4. Delete the following folders:
[*]C:\WINDOWS\System32\windows
[*]C:\Program Files\WildTangent
[*]c:\program files\180solutions
[*]C:\Program Files\Windows SyncroAd
[*]C:\WINDOWS\System32\golumm
5. Delete the following files:
[*]C:\WINDOWS\system32\sysdm.exe
[*]C:\WINDOWS\System32\twink64.exe
[*]C:\WINDOWS\System32\baywu.exe
[*]C:\Documents and Settings\name\Application Data\part.exe
[*]C:\WINDOWS\System32\l?gonui.exe
6. Restart into normal windows

InlineFive · Oct 10, 2004

Problems fixed! Thanks!

Schadenfroh · Oct 10, 2004

Hello Fatdog,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Download, but do not run, About:buster.
3. Make sure you have LSP fix and Winsockfix on your PC, just incase, no need to run, only run if your net connection dies once you reboot back into normal mode.
4. Disable system restore, malware can come back through it.
5. Reboot into safe mode.
6. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qyoud.dll/sp.html#29836
R3 - Default URLSearchHook is missing
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - (no file)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {E8A39625-B6BE-1D18-1BE0-EDB00316FA68} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Karen\LOCALS~1\Temp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKCU\..\Run: [Uzpkie] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...c48e2e58a29296baabe1d6
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab

Additional Steps

1. (optional) Use a compression tool to zip up a copy of the following files and email them to me as a .zip file for research (when you reboot back into normal mode). My email address is schadenfroh@gmail.com, label the email "trojan package 1"

C:\WINDOWS\System32\dp-k13w13.exe
C:\WINDOWS\System32\l?gonui.exe
C:\WINDOWS\System32\manage.exe
C:\WINDOWS\System32\searchsetter[1].exe
C:\DOCUME~1\Karen\LOCALS~1\Temp\svcmm32.exe

2. Run About:buster
3. Clear your Temporary Files
4. Remove the following VIA instructions provided:

5. Delete the following folders:

C:\Program Files\Viewpoint
C:\Program Files\WildTangent
C:\PROGRA~1\VBouncer
C:\Program Files\webHancer\

6. Delete the following files

C:\WINDOWS\System32\dp-k13w13.exe
C:\DOCUME~1\Karen\LOCALS~1\Temp\svcmm32.exe
C:\WINDOWS\System32\manage.exe
C:\WINDOWS\System32\l?gonui.exe
C:\WINDOWS\System32\searchsetter[1].exe

7.Restart into normal windows

kwn12 · Oct 14, 2004

My friends comp is all F'd up, help would be appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 8:35:51 PM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

Schadenfroh · Oct 15, 2004

Hello kwn12,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:

MyBar Adware

3. Delete the following folder:

C:\Program Files\MyWay\

4.Restart into normal windows

kwn12 · Oct 15, 2004

Thanks a lot for your help again Schadenfro. I followed your instructions, but problems persist. The computer takes a very long time (30+ minutes) to start up normally, but it will boot into safe mode with networking. My friend says these problems started when he installed Kazaa (not lite), it "ruined" his computer. Any alternatives to formatting?

Schadenfroh · Oct 15, 2004

Originally posted by: kwn12
Thanks a lot for your help again Schadenfro. I followed your instructions, but problems persist. The computer takes a very long time (30+ minutes) to start up normally, but it will boot into safe mode with networking. My friend says these problems started when he installed Kazaa (not lite), it "ruined" his computer. Any alternatives to formatting?

Run kazaa begone

(btw, it might damadge your net netconnection when you run it, so have LSP fix and winsockfix on your computer just in case)

DaFOBulous1 · Oct 19, 2004

It's odd but it happens over and over. After doing the same procedures...my internet is still not working.

In the morning, I turn it on and I notice the mouse is very jumpy. I tried running programs and it affects it too as it freezes for a moment and then gets going. Also, my internet doesnt work anymore even after LSPFix and another application that restores your WinSock.

I'm guessing it keeps messing up my WinSock until I get rid of it. My computer is only 2-3 weeks into being freshly reformatted and installed XP so I really don't want to reformat. I'm in the computer lab so I have to go home and perhaps run HiJackThis but I'm wondering if anybody has any suggestions as of now. I got midterms but I need to access information but formatting is not an option for me at this point.

Any help is appreciated.

DaFOBulous1 · Oct 19, 2004

Cancel

Schadenfroh · Oct 19, 2004

DaFOBulous1

i dont see anything wrong with your hijackthis log. This may or may not be a software issue. I dont think malware is the cause of your problems, have you tried running the latest version of winsockfix in safemode?

You might want to post about your problem in Technical Support. As, i do not believe this is malware related.

music · Oct 20, 2004

Help please! This is from a coworker's home pc.

Logfile of HijackThis v1.98.2
Scan saved at 6:32:11 PM, on 10/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\msagent\intl\nutbin.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Application Data\ooou.exe
C:\WINNT\system32\l?ass.exe
C:\WINNT\system32\IfuV.exe
C:\WINNT\system32\IfuV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.420.com/ht/lounge/index.php?page=420
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hcotgq.t.rack.cc/hp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r3.attbi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O2 - BHO: (no name) - {4DAC3300-BF44-5294-8750-105509F92A4E} - C:\WINNT\system32\tdlb.dll
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O2 - BHO: CATLEvents Object - {73529697-D46A-4F7D-8A93-01378FCAEDA4} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nibtun.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [OEKPyJ] C:\documents and settings\administrator\local settings\temp\OEKPyJ.exe
O4 - HKLM\..\Run: [4SNH9RX5Y3CM2G] C:\WINNT\system32\WditZRpq.exe
O4 - HKLM\..\Run: [*nutbin] C:\WINNT\msagent\intl\nutbin.exe
O4 - HKLM\..\RunOnce: [*nutbin] C:\WINNT\msagent\intl\nutbin.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Eaaw] C:\Documents and Settings\Administrator\Application Data\ooou.exe
O4 - HKCU\..\Run: [Xariq] C:\WINNT\system32\l?ass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/cli...igns/0003C00/setup.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/do.../files/abasetup141.cab

lynaskin · Oct 20, 2004

Can you help me with this one?
Thanks!
Lyn

Logfile of HijackThis v1.98.2
Scan saved at 12:19:08 PM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Lyn's Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1001\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Searchalot - {EFC7E4E0-DF33-11D7-BB74-98F63D0B5B00} - http://www.searchalot.com (file missing) (HKCU)
O9 - Extra button: Downloads - {EFC7E4E1-DF33-11D7-BB74-98F63D0B5B00} - http://www.downloadalot.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.co...es/clients/y/ks0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://www.expressit.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.co...iniBugTransporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/mol.../4,0,0,83/mcinsctl.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://www.ancestryfamilytree....AncestryFamilyTree.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1096043038512
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.picasa.com/inst.../pinstall/pinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ssengerStatsClient.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com.../minibuginstaller.cab?
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com...wnload/bin/actxcab.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/mol...s/1,0,0,20/mcgdmgr.cab
O16 - DPF: {E62498E0-1412-4CCD-9378-219AC6E36D26} (FeelzPlayerSetup Class) - http://www.feelingz.com/setup/FeelzPlayer.CAB
O16 - DPF: {F8DCFE8E-7B2B-4FF8-B8A7-A52B6C4B0170} (AvzPrintingComponent Class) - http://nesteggz.about.com/NEUt...rintingActiveX1500.cab

Schadenfroh · Oct 20, 2004

Hello music,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Download and update (but do not run yet) About:buster.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.420.com/ht/lounge/index.php?page=420
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hcotgq.t.rack.cc/hp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O2 - BHO: (no name) - {4DAC3300-BF44-5294-8750-105509F92A4E} - C:\WINNT\system32\tdlb.dll
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O2 - BHO: CATLEvents Object - {73529697-D46A-4F7D-8A93-01378FCAEDA4} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nibtun.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yalppct.dat
O4 - HKLM\..\Run: [OEKPyJ] C:\documents and settings\administrator\local settings\temp\OEKPyJ.exe
O4 - HKLM\..\Run: [4SNH9RX5Y3CM2G] C:\WINNT\system32\WditZRpq.exe
O4 - HKLM\..\Run: [*nutbin] C:\WINNT\msagent\intl\nutbin.exe
O4 - HKLM\..\RunOnce: [*nutbin] C:\WINNT\msagent\intl\nutbin.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Eaaw] C:\Documents and Settings\Administrator\Application Data\ooou.exe
O4 - HKCU\..\Run: [Xariq] C:\WINNT\system32\l?ass.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/cli...igns/0003C00/setup.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/do.../files/abasetup141.cab

Additional Steps

1. (optional) Make a copy of the following files and use a compression tool, like winzip, to put them into a .zip file and send them to me as an attachment for research, my email address is schadenfroh@gmail.com

C:\documents and settings\administrator\local settings\temp\OEKPyJ.exe
C:\WINNT\system32\WditZRpq.exe
C:\WINNT\msagent\intl\nutbin.exe
C:\Documents and Settings\Administrator\Application Data\ooou.exe
C:\WINNT\system32\l?ass.exe

2. Clear your Temporary Files
3. Run about:buster
4. Delete the following files:

C:\documents and settings\administrator\local settings\temp\OEKPyJ.exe
C:\WINNT\system32\WditZRpq.exe
C:\WINNT\msagent\intl\nutbin.exe
C:\Documents and Settings\Administrator\Application Data\ooou.exe
C:\WINNT\system32\l?ass.exe

5.Restart into normal windows

Schadenfroh · Oct 20, 2004

Hello lynaskin,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Download and update (but do not run yet) About:buster.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1001\EN-XU\STMAIN.DLL
O9 - Extra button: Searchalot - {EFC7E4E0-DF33-11D7-BB74-98F63D0B5B00} - http://www.searchalot.com (file missing) (HKCU)
O9 - Extra button: Downloads - {EFC7E4E1-DF33-11D7-BB74-98F63D0B5B00} - http://www.downloadalot.com (file missing) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.co...iniBugTransporter.cab?
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.picasa.com/inst.../pinstall/pinstall.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com.../minibuginstaller.cab?
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com...wnload/bin/actxcab.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E62498E0-1412-4CCD-9378-219AC6E36D26} (FeelzPlayerSetup Class) - http://www.feelingz.com/setup/FeelzPlayer.CAB
O16 - DPF: {F8DCFE8E-7B2B-4FF8-B8A7-A52B6C4B0170} (AvzPrintingComponent Class) - http://nesteggz.about.com/NEUt...rintingActiveX1500.cab

Additional Steps

1. Clear your Temporary Files
2. Run About:buster
3.Restart into normal windows

networkman · Oct 21, 2004

I don't know if it's already been pointed out or not, but in addition to AdAware, I also use a program called SpywareBlaster 3.2 to sort of immunize my system against numerous dangerous sites and Active-X controls. It's Freeware and doesn't need to be running in memory to protect your system. It's not 100% effective in blocking everything, but it sure has cut down on the number of problems I've encountered and subsequently needed AdAware for.

Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Lifer

Elite Member

Member

Golden Member

Member

Elite Member

Member

Elite Member

Member

Diamond Member

Elite Member

Diamond Member

Elite Member

Junior Member

Elite Member

Junior Member

Elite Member

Diamond Member

Diamond Member

Elite Member

Senior member

Junior Member

Elite Member

Elite Member

Lifer