Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Desktop has been hacked & cant fix along w/ popups[RESOLVED]

Started by Flappywolf , Apr 14 2005 05:31 PM

  • This topic is locked This topic is locked

#1
Flappywolf
Posted 14 April 2005 - 05:31 PM

Flappywolf

    New Member

  • Member
  • Pip
  • 8 posts
Hey, I'm running windows XP and last night my background was taken over. After running Webroot's "Spysweeper" several times (most of the time it froze my comp) and after running Ad-aware SE several times, I have been unable to remove it. I have also followed the instructions that were pinned at the top of this form. It hasn't disappeared, but something happend to it and it is now stuck in the lower right corner of my screen. All I can read is "Security........." <-- title. Under that I can see "A fatal error in IE has occured.................... 00010E36. Error was caused by Tr.........." When I right click on the desktop and bring up display properties, the only two tabs showing are "Screen Saver" and "Settings" for my radeon graphics card. The time before I last rebooted after sweeping, I right clicked on the desktop and clicked "properties" and an error report came up with the title "Run a DLL as an App" and asked me to send the error report.
Also, two or three reboots ago, before the taskbar or anything could load, a message came up saying "Windows cannot find 'C:\WINDOWS\appua32.exe' Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search." Then right after I closed that another one right behind it told me that "C:\WINDOWS\System32\:eye.exe" could not be found along with "C:\WINDOWS\javacl.exe". I have since rebooted and have not gotten that message.

Other than that, despite continual sweeping, I keep having the same popups appear. One says " "System Warning" Network fatal error at 00ff:2348AD Warning: your internet connection is not secured. Please use Network Security software to protect your PC from remote attacks and hacks, click "OK" to get all the availble network security software. " If you click "OK" it sends you to http://msxpsupport.c...=dsm&qq=spyware

The other two are popups disguised (I believe) as windows XP protection software. One is an annoying yellow triangle with "!" in the middle of it that states " System Alert: Exploit Detected. System has detechted 4 active exploits that may cause frequent application crashes, instability or low computer preformance. Click the icon to remove exploits. " And last but not least, A popup titled "Window Security Center" pops up and says "WARNING: Windows firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail account, financial data or passwords. Do you want to learn how to protect your computer?"

Well, thats it. Thank you SO MUCH for your time. If there is anything about my computer that i've left out that would be helpful, please tell me.
--Flappywolf

Edited by Flappywolf, 14 April 2005 - 06:17 PM.

  • 0

Advertisements

#2
Flappywolf
Posted 14 April 2005 - 07:48 PM

Flappywolf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, i'm just posting new information that might be of some help to you in trying to help me. I have found 2 files that deal with my desktop being hacked. One is a bitmap image that is the image my desktop is displaying, the other is an application. Both have the same name "wp" and both were created at the same time. The image talks about " Trojan-Spy.HTML.Smitfraud.c " I have put them in a seperate folder on my desktop and won't delete them until you tell me to since they might be of some help to you somehow. sorry for posting, i just thought this new info might help.
--Flappy
  • 0

#3
diydelboy
Posted 19 April 2005 - 12:44 PM

diydelboy

    Member

  • Member
  • PipPip
  • 15 posts
Edited by Geek U Moderator

Edited by ScHwErV, 19 April 2005 - 07:40 PM.

  • 0

#4
lennymos123
Posted 20 April 2005 - 02:18 AM

lennymos123

    New Member

  • Member
  • Pip
  • 1 posts
If you need help, then you need to start your own topic. Read the forum rules.

Edited by Geek U Moderator

Edited by ScHwErV, 20 April 2005 - 10:12 AM.

  • 0

#5
ScHwErV
Posted 20 April 2005 - 10:13 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Flappywolf

Hello and welcome to Geeks To Go.

Please read this post and follow the instructions there.

In order to get a better idea of whats happening with your computer:
  • Please download the latest version of HiJackThis from either Site 1 or Site 2
  • Copy it into its own folder, doubleclick HijackThis.exe, and hit "Do a system scan and save a logfile"
  • When the scan is finished, it will ask you to save the log. Just save it anywhere that you will remember like your desktop.
  • After you save it, the log will open in notepad. In notepad, press Ctrl-A to Select All, and copy its contents in a reply to this post.
  • Most of what it lists will be harmless or even essential
  • Don't Fix Anything Yet
Good Luck

ScHwErV :tazz:
  • 0

#6
Flappywolf
Posted 20 April 2005 - 01:50 PM

Flappywolf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, thanks. Here is my "hiijackthis" log. I have since followed the instructions from another post and have gotten my desktop back along with missing tabs on my display properties screen. I still however have the other pop ups that i can't kill mentioned above. Thank you so much for your time.

Logfile of HijackThis v1.99.1
Scan saved at 3:46:29 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\d3dw32.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\ntfx32.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Anti-spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jwxjw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jwxjw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jwxjw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jwxjw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jwxjw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {EE68202E-7278-D318-0378-FD11A3F795EB} - C:\WINDOWS\system32\d3yk32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntfx32.exe] C:\WINDOWS\system32\ntfx32.exe
O4 - HKLM\..\RunOnce: [d3dw32.exe] C:\WINDOWS\d3dw32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B3984E38} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B3984E38} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {100D93A7-560E-5E6E-5D60-232E29410486} - http://216.118.71.185/1/rdgUS1828.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112119996825
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlqc32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#7
ScHwErV
Posted 21 April 2005 - 06:25 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Flappywolf

user,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck

ScHwErV :tazz:
  • 0

#8
Flappywolf
Posted 25 April 2005 - 11:16 PM

Flappywolf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry for the long delay in my reply. I had some trouble getting the online scan. Here are my logs that you asked for.

SpSeHjfix112 log:

(4/22/05 1:11:55 AM) SPSeHjFix started v1.1.2
(4/22/05 1:11:55 AM) OS: WinXP Service Pack 1 (5.1.2600)
(4/22/05 1:11:55 AM) Language: english
(4/22/05 1:11:55 AM) Win-Path: C:\WINDOWS
(4/22/05 1:11:55 AM) System-Path: C:\WINDOWS\System32
(4/22/05 1:11:55 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(4/22/05 1:11:59 AM) Disinfection started
(4/22/05 1:11:59 AM) Bad-Dll(IEP): (not found)
(4/22/05 1:11:59 AM) Bad-Dll(IEP) in BHO: (not found)
(4/22/05 1:11:59 AM) UBF: 7 - UBB: 1 - UBR: 2
(4/22/05 1:11:59 AM) UBF: 7 - UBB: 1 - UBR: 2
(4/22/05 1:11:59 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(4/22/05 1:11:59 AM) Stealth-String not found
(4/22/05 1:11:59 AM) Not infected->END


My BitDefender report:
Attached File  BitDefender_report.html   267.3KB   24 downloads

and last, my new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:15:58 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ntlk.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\ntfx32.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Anti-spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32

\rghwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:

\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32

\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\rghwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:

\WINDOWS\system32\rghwz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:

\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EB9E062-47DE-633E-02AB-4AC63DA507E3} - C:\WINDOWS\crll.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntfx32.exe] C:\WINDOWS\system32\ntfx32.exe
O4 - HKLM\..\RunOnce: [ntlk.exe] C:\WINDOWS\ntlk.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/

aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.

exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-

9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32

\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:

\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program

Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B3984E38} - (no

file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B

3984E38} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky

.com/downloads/kws/kavwebscan.cab
O16 - DPF: {100D93A7-560E-5E6E-5D60-232E29410486} - http://216.118.71.185/1/rdgUS1828.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)

- http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com

/249c2962db71a6aea923/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.

bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.

windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112119996825
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:

\WINDOWS\system32\atlqc32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program

Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System

32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:

\WINDOWS\wanmpsvc.exe

thanks again for your time.
  • 0

#9
ScHwErV
Posted 26 April 2005 - 06:02 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Ok, lets go after this again.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\ntlk.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\ntfx32.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\system32\rghwz.dll
C:\WINDOWS\system32\atlqc32.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rghwz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3EB9E062-47DE-633E-02AB-4AC63DA507E3} - C:\WINDOWS\crll.dll
O4 - HKLM\..\Run: [ntfx32.exe] C:\WINDOWS\system32\ntfx32.exe
O4 - HKLM\..\RunOnce: [ntlk.exe] C:\WINDOWS\ntlk.exe
O9 - Extra button: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B3984E38} - (nofile) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C64E0434-DC12-4113-A6DC-F532B3984E38} - (no file) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlqc32.exe" /s (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. After that, Reboot.

Then post a fresh HiJackThis log for review.

ScHwErV :tazz:
  • 0

#10
Flappywolf
Posted 26 April 2005 - 01:52 PM

Flappywolf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here you go. (btw, you guys rock :tazz: )


Logfile of HijackThis v1.99.1
Scan saved at 3:50:21 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netgr32.exe
C:\WINDOWS\system32\addyf32.exe
C:\Anti-spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41D2B4DA-7A72-4D83-2AB1-ABC9369BAC74} - C:\WINDOWS\system32\addvq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [netgr32.exe] C:\WINDOWS\system32\netgr32.exe
O4 - HKLM\..\RunOnce: [addyf32.exe] C:\WINDOWS\system32\addyf32.exe
O4 - HKLM\..\RunOnce: [addvq32.exe] C:\WINDOWS\system32\addvq32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {100D93A7-560E-5E6E-5D60-232E29410486} - http://216.118.71.185/1/rdgUS1828.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112119996825
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlqc32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#11
ScHwErV
Posted 26 April 2005 - 07:06 PM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
One more problem.

Please download and run This Program to help us rid your computer of the peper trojan.

ScHwErV :tazz:
  • 0

#12
ScHwErV
Posted 02 May 2005 - 08:01 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Havent heard from you in awhile. Just wondering how things are going and if you still need assistance?

ScHwErV :tazz:
  • 0

#13
Flappywolf
Posted 07 May 2005 - 10:02 PM

Flappywolf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, I'm sorry. My computer decided it hates me and over heated. I had to take it in for a bit to get the fan fixed. Then the wireless router decided not to help me out either, so i've been off line for a bit. Other than that my computer is fine now. Thanks soooooo much. :tazz: ;)
  • 0

#14
ScHwErV
Posted 08 May 2005 - 07:28 PM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP