Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown popup problem[RESOLVED]


  • This topic is locked This topic is locked

#1
alfonzo64

alfonzo64

    Member

  • Member
  • PipPip
  • 23 posts
I have a condition on my computer where my computer gets flooded with popups. I have used as many virus, spyware and malware blockers as i could find but none of them worked. None of the programs in my task manager seem to be causing the problem and i am at my wits end. please look over my Hijackthis report and do what you can.

Logfile of HijackThis v1.99.1
Scan saved at 3:42:24 PM, on 5/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCREGWIZ.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ELITENAE32.EXE
C:\PROGRAM FILES\CLEANMYPC\REGISTRY CLEANER\RCSCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: SearchHook Class - {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - blank (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITENAE32.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0008.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0026.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O19 - User stylesheet: (file missing)
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64 and welcome to GeeksToGo!

I'm working on your log, as soon as another staff member reviews it I'll post a reply.
;)

Thank you for your patience.

Excal :tazz:
  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64 and welcome to GeeksToGo! My name is Excal and I will be helping you today.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

After reviewing your HiJack log file I can see that you have some Malware issues.
So lets get these things take care of.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy

    You have a CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

    Download about:buster by RubbeRDuckY Here.
    Download CWShredder Here.
    Download and install CleanUp! Here
    Download LQfix Here (do not run yet)

    Save all of these files somewhere you will remember like to the Desktop.

    Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Please print out a copy of these instructions to have them handy

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

6. Now run the "clean up" program.

7. Open HiJackThis and do a scan

8. Put a Check next to the following items, then click the Fix Checked box

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: SearchHook Class - {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - blank (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0008.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0026.exe
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O19 - User stylesheet: (file missing)


9. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

10. Run the LQFix. Unzip the file, and run LQFix.bat

11. Reboot in normal mode and Please post a new HiJackThis log and the about:buster log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.
  • 0

#4
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I have followed your instructions but it has not stopped the problem completely. There are fewer popups now but they are still coming.

Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:41 AM, on 5/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCREGWIZ.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\APPLICATION DATA\BTWS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -

and my add buster log:
Scanned at: 10:01:53 PM on: 5/21/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#5
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64, great job so far. Lets try to clean the rest of this up.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

I also noticed you have two anti-virus programs running. I highly suggest you stick with only one because having two running could cause conflicts bewtween them.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy
Please download WinsockFix
and Host
(Do not use either program yet)

Please print out a copy of these instructions to have them handy

1.Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Double click the program Winsockfix that you downloaded.

4. Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items, then click the Fix Checked box

O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -


8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WebHancer

9. Reboot in normal mode and Please post a new log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were. Also be sure to re-enable Teatimer.
  • 0

#6
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
here is my logfile but the popups have yet to stop. some of the old Hijackthis registries are back should i keep deleting them? Did I mention that shortcuts to "Remove Spyware" or "win Disney Vacation" are appearing on my desk top with out my prompting?


Logfile of HijackThis v1.99.1
Scan saved at 8:40:45 PM, on 5/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCREGWIZ.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\APPLICATION DATA\BTWS.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMDIAG.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_DIRECTOR.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TDMENGINE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64,

Ok seems we have a tough one here, but we will beat this :tazz: .

I need you to uninstall one of your AntiVirus programs. I suggest you keep Norton, but its up to you. Just make sure one is gone please.

I also need you to uninstall Spybot Search and Destroy. (I will give you the link after we are done to reinstall it ;) )

Go to start>control panel>add/remove programs to do this.



1. Please DELETE your current HiJackJThis program from its present location.

2. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Close ALL windows except HJT
  • SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log)
  • POST the log in this thread
  • DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


3. The HijackThis.exe will now be in C:\Program Files\Hijackthis
  • 0

#8
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well, I have deleted the programs you suggested. Unfortunately as soon as I restarted my computer, all [bleep] broke loose! At least three times the popups as before. Both Norton and McAfee were trial versions so I stuck with AVG.

Here is my log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:24 PM, on 5/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\ELITETPR32.EXE
C:\WINDOWS\APPLICATION DATA\BTWS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O4 - HKLM\..\RunServices: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64,

Now with those 2 things out of the way, we can get on with the fix :tazz:

If you don't still have these downloaded:
Download LQfix Here
and Host
(Do not use either program yet)

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1.Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items, then click the Fix Checked box

O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} -
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} -
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -


7. Please remove just the files from the following paths using Windows Explorer (if present):
C:\WINDOWS\Application Data\btws.exe

8. Run the LQFix. Unzip the file, and run LQFix.bat

9. Reboot in normal mode and Please post a new log and let me know how your computer is running. Ensure you rehide your “hidden files and folders” back to the way they were.
  • 0

#10
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I have done as you have said and here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:33 PM, on 5/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\ELITETPR32.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kg7hh7l8] C:\WINDOWS\SYSTEM\kg7hh7l8.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\MM15201518.STUB.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O4 - HKLM\..\RunServices: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [kg7hh7l8] C:\WINDOWS\SYSTEM\kg7hh7l8.exe
O4 - HKLM\..\RunServices: [motoin] C:\WINDOWS\MM15201518.STUB.EXE
O4 - HKLM\..\RunServices: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\RunServices: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Do you want me to continue to delete the previous infections that have returned since you prompted my to remove them?
  • 0

Advertisements


#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64,

Believe it or not we are almost done!

Few more things to clean up and you will be good to go :tazz:

You may already have this program downloaded, if thats the case you don't have to download it.
Download LQfix Here
save it to your desktop, but don't run it yet

Download and install CleanUp! Here Do NOT run it yet.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Close all browsers, windows and unneeded programs.

4. Open HiJack and do a scan.

5. Put a Check next to the following items:

O4 - HKLM\..\Run: [kg7hh7l8] C:\WINDOWS\SYSTEM\kg7hh7l8.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\MM15201518.STUB.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O4 - HKLM\..\RunServices: [kg7hh7l8] C:\WINDOWS\SYSTEM\kg7hh7l8.exe
O4 - HKLM\..\RunServices: [motoin] C:\WINDOWS\MM15201518.STUB.EXE
O4 - HKLM\..\RunServices: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\RunServices: [checkrun] C:\WINDOWS\SYSTEM\ELITETPR32.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


6. click the Fix Checked box

7. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

8. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\SYSTEM\nsvsvc

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\SYSTEM\kg7hh7l8.exe
C:\WINDOWS\MM15201518.STUB.EXE


10. double click on LQFix program u downloaded.
A doswindow will open and close again, this is normal.

11. Run the CleanUp! program.

12. Run this online virus scan: ActiveScan - Save the results from the scan!

13. Reboot in normal mode and Please post an Active scan log and a fresg HiJackThisnew log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.
  • 0

#12
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well, here you go:

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SIORAGE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FAAMEBUF.DLL
Adware:Adware/eZula No disinfected C:\ezStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/CWS No disinfected C:\WINDOWS\Favorites\Fun & Games
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/WebHancer No disinfected C:\WINDOWS\webhdll.dll*
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\Program Files\joystick networks
Adware:Adware/ILookup No disinfected C:\WINDOWS\ILookup
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\M67M.OCX
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/Pacimedia No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LMTWN12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CZET16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RKPILIB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DUGEST.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DPUSIC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PRD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UYDM32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SZELL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PMFMGR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LJKODAK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MMINCP16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FAAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SGEM0409.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NDWRSDA.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RRPILIB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LRTWN12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VTR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WWPDINFO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MKNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LUFIL11N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NGWRSNL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SNELL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CUMPOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CRMDLG32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GEDEF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\idetcomm.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Isside your Computer.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\moisam10.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DCSERIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MQXML3A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYNALIGN.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RAAPH.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wepdxm.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CJRDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LSFPX7.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ORTEXT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WUADRVUD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DNngerous Creatures.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RVCDLL.DLL
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\t2_667279.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MRAWT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WH2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MYSYSTEM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lvmpg12n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NSRSJA.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RMCDLL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DSSTYLE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TanLib20.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DKVVOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MZASN1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GQDEF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mmident.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IHONLIB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DQngerous Creatures.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MTACM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HAD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DOCOMPOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LRTIF12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MOXDM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wkidx.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wwpns.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IJMP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WS5INF16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VZR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Iqvu9_32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MBTCP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LUTWN80N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LEMSP80N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IVDKCS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WSASERVC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IAIGN32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\domasf.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\QSDIT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GHDEF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGOCURS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LNMSP80N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OVFIL400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\oeccli32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WQPDINFO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IIONLIB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Mhstery.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\hzfinst.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MFSTKPRP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NLSWAN16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AIRESX32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PMWEROLD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CLFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\myvcr71.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DEDXOF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WABVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UOBMON.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NJMKCERT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\rzdx8d20.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MHRLE32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SWFOLDER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VIAME.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NBWRSSV.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RSCRT4.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DNIMAN32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LRCMP12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PVM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ID_NDI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\sOverrc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wapcd.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DQVMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wlidx.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CPFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NKRSPT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PVFMGR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DHBENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dQdref8.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dz630api.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MPVCRT20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WOVDMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LUCMP12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTVCORE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LCTWN80N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PLWEROLD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MQT2FW95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WAASERVC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\EVPSRV.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LXNKINFO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HEAGENT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ctrtc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\QVSF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MJEXCL40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RFCLTSPX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RRSTORRC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DKDREF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TgnLib20.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MFJAVA.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SVL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MDWSOSP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGCMQCL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DMBENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VFAME.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MUDART32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ROAPH.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OEEACCRC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NMRSHU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MNDVDOPT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RFCRT4.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DSBENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\THP3216S.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DQWAVE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LZFIL11N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IULOADER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTASTATD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MMDBG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NATDI90X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ORETHK32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IRM32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TCPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Ikvu9_32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LNTWN12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LCCMP12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IWONLIB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SMNCENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DUBENG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NWWRSPL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UMBUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DONHPAST.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\clrtc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FDNTEXT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\rkdx8d20.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MVASN1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OTBC32GT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LZTWN12n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PRDLIB32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ioagx5.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DQMSTOR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\eqenu.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RCCMQCL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGWDAT10.DLL
  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64,


Can I get you to post a Fresh HiJackThis log also.



Thanks,

:tazz:
Excal
  • 0

#14
alfonzo64

alfonzo64

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Sorry, I could have sworn i put it on there:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:10 PM, on 5/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.20/ttinst.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.co...X.cab?9,0,712,0
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...458/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#15
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi alfonzo64,

The good news is that your Hijack Log looks very good :tazz:

now for the bad.........

Actually not to bad ;)

You have a looktome infection which didn't show up on your HiJackThis log, but shouldn't be to hard to clean up. And after that we will clean over a some leftover files and we should be done ;)

Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP