Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora-ABI/IBIS Toolbar/CoolWWWSearch [RESOLVED]


  • This topic is locked This topic is locked

#1
wishiwereageek

wishiwereageek

    Member

  • Member
  • PipPip
  • 11 posts
I have read these forums many times and been able to fix my problems just by reading until now. I can't say how much I appreciate you wonderful people! Thank you so much for your time and for sharing your expertise with others.

A very stinky toolbar (IBIS) suddenly appeared on the computer (Win98). I ran AdAware and Spybot, and after much trouble and reboots, the IBIS seems to be gone. Spybot was and is acting crazy (see next para), and I had to uninstall it in order for AdAware to be allowed to get rid of much of it. Now AdAware says all is well, but the re-installed SpyBot says I have a nasty called CoolWWWSearch (About:blank version) and one lonely entry of Toolbar Hunter still left. But SpyBot itself won't let me get rid of them!

The little SpyBot pop-up asking if you will allow a registry change is totally messed up and there is no way to tell it "yes" or "no"... it defaults to "no" with numerous pop-ups saying the change was "denied". (I have uninstalled and reinstalled SpyBot several times, and it's still this way. I suspect the CoolWWWSearch may have something to do with this? It's uninstalled again now.)

We were also invaded by the dreaded Aurora/ABI pop-ups at the same time. They seem to have stopped after much effort, but I fear they left nasties lurking behind, ready to pop out from behind a tree!

I have been working on the problems for two days now, scanning, rebooting, and tearing out my hair. I give up on solving this on my own and hope you can help!

This was my first time running a Hijack This log, so I hope I did it right. Thank you in advance for your help, and here is the log (with my apologies for any errors):

Logfile of HijackThis v1.99.1
Scan saved at 11:03:01 AM, on 8/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT INTELLIPOINT 4.12\MOUSE\SETUP\MSH\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "computerking.org"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csea rchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat....ransporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://toad8.inkfrog...geUploader3.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...32/sdcregie.cab
O16 - DPF: {9386632C-00D9-440F-A448-E25BE16459B2} (DemoShield DemoX Class) - http://www.bugstores...demo//demox.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Do you have Spybot 1.4 installed? If so those cutoff Allow or Deny buttons is a bug in the program. Nothing we can do but wait till it's fixed. You can still click on it and it will work, just can't see the lower half part.

For ABI, if it's listed on the Add/Remove panel, don't uninstall it there. Instead, go into HijackThis->Config->Misc Tools->Open Uninstall Manager and click on The ABI Network once. Then hit Delete this entry button.

See if you can run Nailfix (see below). If not, just skip it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat....ransporter.cab?


Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall WinTools from the Add/Remove panel if listed.

Locate and delete the following:

C:\WINDOWS\DSR.DLL
C:\PROGRAM FILES\TOOLBAR\
C:\PROGRA~1\COMMON~1\WINTOOLS\


Restart your computer and run Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here along with a new HijackThis log.
  • 0

#3
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Greyknight 17, you are my knight in shining armour! I guess all we damsels in distress say that to you!

I will do all you say now as soon as I print this out and will post again when done. This computer belongs to my dear old Mum and she is disabled and the computer so important to her. She was so excited to get her Comcast wireless network set up, but I'm afraid to set up the network until I get this fixed! She's been so disappointed I can't fix it, so here's hoping this fix will make a dear lady happy and .

There ought to be medals for folks like you. (And jail sentences for the jerks who make these stinky spyware things.)
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. We're glad we could help out :tazz:

This one shouldn't be too hard to remove.
  • 0

#5
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I am truly, truly grateful! I will come back and post the logs as promised... but now I'm having to run the panda for the third try because the 'puter has konked out twice while it was running. Thank you again, and will post again when done with the Panda scan :tazz:
  • 0

#6
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Finally! I had to run the Panda scan four times. Either it got frozen up before finishing or a momentary power outage did me in the first three times. And it takes soooo long to run it!

Then, on the fourth try, when I told it to save the log (at 2am this morning!) .... well, there was nothing in the notepad file even though I tried saving it several times! So I copied down what I could see in the log by hand, but it wouldn't let me see all of the file name in some cases. I went ahead and deleted some of the stinkers (as marked below):

1. Spyware/New.net C:\old data\Program Files\NewsDotNet\unin.... (could not find it to delete it)
2. Dialer.BSX C:\old data\Program Files\videochat.exe (deleted!)
3. Adware/Brilliant Digital C:\old data\RECYCLED\DC13.DLL (not deleted)
4. Adware/Enh/Srch C:Program Files\Bugbusters\backups\bac... (cannot find to delete... Bugbusters is the file folder I created for Hijack This and About Buster)
5. Adware/Enh/Srch C:\Recycled\N Protect\00000015.DLL (emptied now?)
6. Trj/Downloader.LR C:\Recycled\N Protect\00000118 (Panda zapped it?)
7. Adware/Gator C:\System\Volume Information\-restore {A39... (cannot find to delete!)
8. Adware/Gator C:\System\Volume Information\-restore {A39... (cannot find to delete!)
9. Adware/Gator C:\System\Volume Information\ -restore {A39... (Cannot find to delete)
10. Adware/Otx C:\WINDOWS\Downloaded Program Files\... (Well, how can I delete it if I can't see its name? Not deleted.)
11. Adware/IP Insight C:\WINDOWS\INF\ALCHEM.INF (Notepad file with information on the stinker... didn't delete yet just in case info might prove useful to you.)
12 Application Restart (Security Risk) C:\WINDOWS\SYSTEM\Tools\Restart.exe (not deleted yet -- wanted your advice on it!)
13 Adware/Areate-Radiate C:\WINDOWS\SYSTEM\Amcis2.dll (deleted!)
14. Spyware/Cydoor C:\WINDOWS\SYSTEM\cd_clint.dll (deleted!)
15. Adware/Marketshare C:\WINDOWS\SYSTEM\nsosscfg.exe (deleted!)
16. Adware/IP Insight C:\WINDOWS\ALCHEM.INI (deleted!)
17. Adware/Enh/Srch C:\WINDOWS\dsr.exe (deleted!)
18. Adware/Twain Tech C:\WINDOWS\smdat32m.sys (deleted!)


---- END OF PANDA LOG (such as it is!)

HIJACK THIS log done after Panda Scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:07 AM, on 8/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT INTELLIPOINT 4.12\MOUSE\SETUP\MSH\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\BUGBUSTERS!\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "computerking.org"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - https://www.opinions...onfig/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://toad8.inkfrog...geUploader3.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...32/sdcregie.cab
O16 - DPF: {9386632C-00D9-440F-A448-E25BE16459B2} (DemoShield DemoX Class) - http://www.bugstores...demo//demox.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


----END OF HIJACK THIS LOG

Whew! How can I thank you enough for all your kind help? Am I on my way to fixing this thing now?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may leave that restart.exe file. Seems there are a handful of users having problems with Panda. Are you using dialup internet or high speed (DSL/Cable) internet?

Check and fix this in HijackThis:

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll

Try this scan:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#8
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
You are truly a Wizard Deluxe (as they say in Oz)! Thank you!

I'm using Comcast Cable.

I got rid of otxreasearch in Hijack This. Thanks!

I emptied the Norton quarantine folder, but it doesn't appear that I really emptied it, according to the following log. Hmm. I had also emptied the Recycle Bin.

I had to run the MicroWorld virus scan twice because the USB port mouse wouldn't work in Safe Mode (I am such a dummy sometimes!) and I had to root around and find an old-timey mouse and run it again. Here it is:

Virus Log

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "myway Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "PerfectNav Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BridgeX.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\QDow_AS2.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\dcainst.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Preloader.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\setup.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Preloader.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{4F878398-E58A-11D3-BEE9-00C04FA0D6BA}" refers to invalid object "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\GBDETECT.DLL". Action Taken: No Action Taken.

File C:\DOWNLOAD\TWinExplorer2.6\twinx26 - TWINEXPLORERVER2.6.exe tagged as "not-a-virus:AdWare.Aureate.a". Action Taken: No Action Taken.

File C:\old data\Program Files\NewDotNet\uninstall5_40.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.

File C:\Program Files\BugBusters!\backups\backup-20050813-155608-842.dll tagged as "not-a-virus:AdWare.ToolBar.ImiBar.h". Action Taken: No Action Taken.

File C:\Program Files\BugBusters!\backups\backup-20050814-152338-984.dll tagged as not-a-virus:Downloader.Win32.OTXloader. No Action Taken.

File C:\Program Files\CompuServe 7.0\download\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.

File C:\Program Files\mIRC\backup\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.

File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.

File C:\RECYCLED\NPROTECT\00002076.DLL tagged as not-a-virus:Downloader.Win32.OTXloader. No Action Taken.

File C:\System Volume Information\_restore{A390AF45-AD83-4721-9619-8362CEF3CB41}\RP41\A0004247.EXE tagged as "not-a-virus:AdWare.Gator.4201". Action Taken: No Action Taken.

File C:\WINDOWS\Downloaded Program Files\OTXMedia.dll tagged as "not-a-virus:AdWare.OTX.a". Action Taken: No Action Taken.

-----END OF LOG
  • 0

#9
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Oh dear. I just went through the files to find the stinky adware/spyware, etc. that was found on that last scan. I cannot find them! It seems you cannot search in hidden files and folders in Win98 like you can in XP. (sigh) I await your wisdom.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, any USB devices will not work in Safe Mode.

You won't find those adware/spyware entries because they are in the registry. Mostly these are just useless now, so don't worry about them.

Do you by any chance have another Windows Operating System on this same computer? It looks like you have restore points there (which are only available on Windows ME and XP computers).

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on the file that starts with newdotnet...dll on the left window and click on the arrow pointing to the right. If you see any other similar newdotnet....dll files, move those over too. Click Finish and follow the prompts.

Uninstall New.net from the Add/Remove panel if listed.

C:\Program Files\BugBusters!\backups\backup-20050813-155608-842.dll
C:\Program Files\BugBusters!\backups\backup-20050814-152338-984.dll
C:\RECYCLED\NPROTECT\00002076.DLL
C:\System Volume Information\_restore{A390AF45-AD83-4721-9619-8362CEF3CB41}\RP41\A0004247.EXE
C:\WINDOWS\Downloaded Program Files\OTXMedia.dll


Delete these two folders if found:

C:\DOWNLOAD\TWinExplorer2.6\
C:\old data\Program Files\NewDotNet\


Restart and try running Panda again. If that still won't work, run another mwav scan and post the log here along with a new HijackThis log.
  • 0

Advertisements


#11
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you! I will do all you say. And I will reply better, too.

Right now, I'm a bit freaked out because someone stole my bellsouth email account password and my ebay account password and ran up huge listing fees for motorcyles on ebay! I finally have those accounts straightened out.

The only thing I can think of is that there was a keystroke logger in with that spyware? Is that possible? I am afraid to change the password in my paypal account because they require you to enter your entire bank account number in order to change your password... I don't want the thief to have my bank account number, too! (How stupid is that for a requirement to change a password? Of course if there is still a keystroke logger on the computer, it would get the new password, too, but at least they wouldn't get my bank account number.)

Is there any way to make sure there is no keystroke logger thingie on this computer now? :tazz:
  • 0

#12
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Okay, I had some tea and I'm better now. No, there is no other operating sysem on this computer now that I know of. At present, that is. My ex-husband was a network administrator and super computer geek (but, alas he also turned out to be a terrible cad), and he put every version of Windows under the sun on this computer at some point (he messed with it every time we came to visit). Mom didn't like any of them, so it's Win98 again.

There were more troubles with this computer than I mentioned before. We took this computer to the computer shop on Thursday, as Mom was planning to switch to comcast cable from bellsouth dsl on Friday. I unhooked it and all to take to the shop. Just before unhooking it, there was a notification from Microsoft for a critical update. I ignored it, as I was in a hurry to take it to the shop on time.

The computer guru at the shop found a bunch of spyware and stuff on the computer and removed a bunch of it, but said there was more to be done. I'm not sure what all he did to it. He added the google toolbar and he added AVG, Cleanup Temp Files, and Ad Aware (already had SpyBot and Norton). The computer acted okay before going to the shop, though. Not perfect, but not crazy, either.

Thursday evening, after bringing it back from the shop, I connected to the internet to make sure I'd connected all the wires and modem and everything back correctly. That's when the CoolWWWSearch hijacked the browser and the ABI ads started popping up everywhere and SpyBot went nuts. Then, I tried to access the email. It was impossible to get email through Netscape or through Outlook. Kept getting an error message. So Mom went to Bellsouth, and could not log into her account management to check if the problem was there because it said the email accounts did not exist! However, she could log into webmail and get her email, as could I. I spent a bunch of time with BellSouth Live Help, and the agent even remotely accessed the computer but was unable to fix it.

How could all these things go wrong at once? And then to have my accounts hijacked after I had stupidly logged into bellsouth webmail and ebay using my passwords on Thursday evening during the height of the spyware/adware frenzy? That's what makes me wonder about a keystroke logger.

Friday, the comcast guy came and installed the comcast. And you know the rest. We still can't access email through Outlook or Netscape.

Oh, I have the isp address of the party who requested the change of email address from ebay and hijacked that account. I don't know if that does any good or not in tracing it. BellSouth is looking into who fooled with that account, but I don't have any info yet.

Who are these people who do this garbage? Don't they have lives? And what is the point?

Sorry for the rant. And thank you. Now I am off to do the tasks you gave me. I don't know if any of this information is helpful in figuring out what all those stinky spyware things may have got up to in this computer.

Oh, yes, and thank you!
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, you should definitely get a firewall program if you don't have one installed already. Install a free firewall program called ZoneAlarm (look for Free Download link).

Update AVG and run the scans. If you want, run BOTH these scans as well:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

That should weed out anything if found.

Give me the two logs (Panda and HijackThis) when you are ready :tazz:
  • 0

#14
wishiwereageek

wishiwereageek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Okay, FINALLY! I had to run the Panda scan about seven times because it kept hanging up. Ugh! And each scan takes over three hours! I'm frazzled!

Here are the Panda Scan results:

Incident Status Location

Adware:adware/wintools No disinfected Windows Registry

Adware:Adware/BrilliantDigital No disinfected C:\old data\RECYCLED\DC13.DLL

Adware:Adware/Otx No disinfected C:\WINDOWS\Downloaded Program Files\OTXMedia.dll

Security Risk:Application/Restart No disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe

Security Risk:Application/RestartNo disinfected C:\WINDOWS\TEMP\pavD0E3.TMP

MY NOTES:

1. I simply cannot find the BrilliantDigital. It seems there are TWO recycle bins on this poor computer. One is C:\RECYCLED and the other is C:\old data\RECYCLED. The C:\old data\RECYLED claims it's empty, but I know the C:RECYCLED lies about being empty when it's not, so that one might, too. I think I should simply delete the folder C:\old data\RECYCLED. Is that right?

2. I also cannot find the OTXMedia.dll. I have been through that WINDOWS downloaded program files folder with a fine-tooth comb, even checking "dependencies" in each file, and came up empty. There must be things in there I can't see?

###END OF PANDA LOG###

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 12:33:20 PM, on 8/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT INTELLIPOINT 4.12\MOUSE\SETUP\MSH\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BUGBUSTERS!\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "computerking.org"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\up51uhq4.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://toad8.inkfrog...geUploader3.cab
O16 - DPF: {9386632C-00D9-440F-A448-E25BE16459B2} (DemoShield DemoX Class) - http://www.bugstores...demo//demox.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab

#####END OF HIJACK THIS####

The Trend Micro scan only found MNIGHTOIL.A (which I zapped) and COOKIE 2955, which I left, as I didn't know whether it was good cookie Mom wants to keep, or an evil spyware/adware cookie which needs to be deleted.

LSPFix Only files which appeared are:
rnr20.dll
mswosp.dll
msafd.dll
rsvpsp.dll

I did not remove any of the above, of course!

---------------
Another question: Mom deleted a bunch of old email on Sunday (it takes the poor Panda forever to go through all that email). I thought it would free up a lot of space on the computer, but it didn't. Well, last evening while looking at Panda do its thing, I noticed it spent forever going though a folder called "C:\WINDOWS\Application Data\Mozilla\Profiles\Default...and so forth and so on...Trash". So I checked and there they were, several files named "Trash". One of them was 1.3GB!!! So I deleted the monster (Norton said it was too big for the Recyle bin... duh). But it still wasn't gone, even after rebooting. After emptying the recyle bin and running Norton's Clean Sweep, still no more free space. Finally, I tried Clean Up! and rebooted and it was gone and 1.3GB was added to free space on this poor crammed computer. Is something very wrong with this computer, or is this normal? Why would it keep saving all those gigs of trash? Mom uses Netscape for her email, BTW. Oh, I bet this is a Norton trick! If it is, I think Mom will dump Norton. The version is a lemon, anyway.
--------
Last but not least, I am naturally very concerned about my passwords for ebay and my bellsouth email account getting stolen. The passwords were not easy to guess! That could not be it. And they were most certainly stolen by a faraway stranger. How did they do it? Through this spyware we are cleaning off?

Is it safe to go ahead and install the Zone Alarm before all the nasties are cleaned out? And should we add Ewido to this computer? Or is Trojan Hunter really better? (It has Norton and Ad Aware and AVG, and it will have SpyBot again when the bug gets fixed. Obviously, those four did not do the trick!) I also plan to add SpyBlaster and so forth. What is the best arsenal to combat this stuff?

Again, many thanks!

Edited by wishiwereageek, 17 August 2005 - 03:05 PM.

  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you enable show hidden files and folders in the Folder Options (Start->Settings->Control Panel->Folder Options->View)? If not, do so now.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\old data\RECYCLED\DC13.DLL
C:\WINDOWS\Downloaded Program Files\OTXMedia.dll


Boot into Safe Mode and run CleanUp! again.

Not sure about that filesize problem. I'm no big fan of Norton and since it's prone to be a major problem for a lot of users, I'll say uninstall the Norton package you have there.

It could be stolen using spyware or certain keylogger trojans. My suggestion is to update AVG and run a full scan. Then when that's done (fix/delete what it finds if any), run online scans at Panda and TrendMicro just as a double check.

Norton doesn't really do anything here unless you have the antivirus program. Yes, get Ewido if you like. It's free after the 14 day trial period and it is compatible with AVG and a lot of other antivirus programs. AVG and Norton Antivirus are NOT compatible, so make sure you don't have those two antivirus programs installed. Trojan Hunter, you may uninstall. If you really like it, then buy it. We have no preference on that one and only ask the user to use it once to see if there are any trojans that regular scans couldn't detect.

You may install ZoneAlarm now or whenever you wanted to. Just make sure you don't have two firewalls installed at once since that may cause problems.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP