Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Home Search Assistant / Search extender [RESOLVED]


  • This topic is locked This topic is locked

#1
Buggles

Buggles

    New Member

  • Member
  • Pip
  • 8 posts
Hi there.

I had the first problems with PSGuard last week, but with your help sorted it out. I bought McAfee Security Suite 7, and because you advised not to have more than one antivirus thing on, uninstalled others before installing that. It gave problems with e-mail, so as part of fixing that i uninstalled it, then re-installed but disabled all but the antivirus thing, then rather installed another (free) firewall plus adware and spyware remover. sorry for not giving names, I've tried so many things now I've lost track.

Then it kept giving us a message that a virus was detected, the homepage was hijacked, and though it told us every time we opened Internet Explorer that it had removed the virus, I couldn't get the homepage back again, and in the install/uninstall thing there were these new things: Search Assistant, Search Extender, and Shopping Wizard. I can't uninstall them. I decided to try a different antivirus thing, AVG, but between uninstalling McAfee and installing AVG, the abovementioned bugs seemed to entrench themselves.

I confess that I panicked a bit, as I am not only not in a position right now to spend more money on antivirus stuff, I also have lost my faith in them - it seems they simply can't keep up. I currently have installed a2, AVG Free, Advanced Spyware remover, Spybot, Ad-Aware and Advanced Uninstaller Pro. I ran all of these, and quite a few others as well which I uninstalled when they didn't work as I don't want to use disc space unnecessarily. I thought I'd probably just have to make peace with these things, until hard core [bleep] popped up on the screen while my 7yo son was looking at pictures of chariots. I've changed our internet thingie to Firefox now, but the bugs are still in there.

I tried to be sure to follow your directions carefully and do everything you advise before starting a thread, but I'm not too clued up with PC's and all, so if I missed something or made some terrible mistake, apologies in advance.

I have done a HijackThis scan, now I'm not sure if I should include the log straight away. If I shouldn't have, I apologize, but it seems to me it will save time.

Logfile of HijackThis v1.99.1
Scan saved at 16:55:54, on 22/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\APPJJ.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\IPUF.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Class - {78794F02-430B-8A38-72A8-5935AC772E23} - C:\WINDOWS\WINKB32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [IPUF.EXE] C:\WINDOWS\SYSTEM\IPUF.EXE
O4 - HKLM\..\Run: [Cleanup] C:\WINDOWS\TEMP\200592119645_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [APPJJ.EXE] C:\WINDOWS\APPJJ.EXE /s
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\C0A1.TMP
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...576/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

By the way, I tried to run the Trend Micro scan again, and it keeps telling me that another housecall is running.

Thanks so much for everything you do for people like me.

Regards

Buggles.

At the m

Edited by skate_punk_21, 27 September 2005 - 07:39 AM.

  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Edited by skate_punk_21, 24 September 2005 - 06:15 PM.

  • 0

#3
Buggles

Buggles

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, thanks for replying. I'm in the process of following your instructions, but the AboutBuster doesn't want to do what it's supposed to do. When I unzip it, it says 'The WinZip Wizard cannot open this file, it does not appear to be a valid archive'. I managed to ahve a look at what I did then unzip, but there's no .exe file. I tried downloading it from another location, same problem. I've got a-squared, AVG Free, Spyware Blaster, Advanced Spyware Remover, Spybot Search and Destroy and Ad-Aware SE Personal on my computer (all on Desktop). Could one of these be interfering with the download? I tried disabling them as best I could, but I think I might have to temporarily uninstall them - I'm not sure how to stop them otherwise.

Thanks again for your reply. I'm glad to get some help.

Buggles.
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Download AboutBuster and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. DO NOT RUN IT YET

Download CWShredder and run it. The File will ask where to install to, navgiate to your desktop and click install. Now double click the new desktop files CWShredder.exe and at the bottom click "check for updates" now close the program DO NOT RUN IT YET

Let me know if any onters give you trouble unpacking... otherwise, continue with prior instructions.

Edited by skate_punk_21, 25 September 2005 - 01:57 PM.

  • 0

#5
Buggles

Buggles

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Right, I've tried again to follow the directions. I still couldn't properly download About:Buster, but it worked, I could just not update it, I get an error message every time. I ran it anyway, and it said there's no infection on the PC. CWS downloaded fine, and I could update - it assured me I have the latest version. It then said that CWS was not found on this system. SpSeHjfix112 downloaded perfectly, updated fine and also said the system is not infected. I should note that these programmes are not acting exactly as you said they would, I don't know if that's significant - for instance, a log was not automatically saved by SpSeHjfix, I saw a button that said 'log' and saved the log manually, and AboutBuster just gives me a little window with a big blank space and two buttons - update or check now.

Panda Activescan also said that it can't download properly, because some element of it is not being allowed to download. I'm sorry I didn't write that exact error message down. It did say that it could also be because of a lack of disc space. How do I check how much space is available? I've tried disabling the protection I've got just for the time I download, but I'm not sure that I'm managing. I'm prepared to uninstall and re-install when the pc is clean, but that leaves it vulnerable again...

Would you like those logs I did manage to get? Is it possible that one of the protection thingies I got could be blocking the dowloading? I do get a window that warns me the download contais .exe files and do I really want to download it, but I do click 'yes'.

Again thank you for your time.

Buggles.
  • 0

#6
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
ok post whatever you can give me, and a fresh hijackthis log please :tazz:
  • 0

#7
Buggles

Buggles

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok, here's the AboutBuster log:

AboutBuster 5.0 reference file 28
Scan started on [26/09/2005] at [11:06:43]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:06:43


AboutBuster 5.0 reference file 28
Scan started on [26/09/2005] at [11:09:18]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:09:19

...and the SpSeHjfix log:


(9/25/05 20:10:30) SPSeHjFix started v1.1.2
(9/25/05 20:10:30) OS: WinME (4.90.3000)
(9/25/05 20:10:30) Language: english
(9/25/05 20:10:30) Win-Path: C:\WINDOWS
(9/25/05 20:10:30) System-Path: C:\WINDOWS\SYSTEM
(9/25/05 20:10:30) Temp-Path: C:\WINDOWS\TEMP\


(9/26/05 11:12:01) SPSeHjFix started v1.1.2
(9/26/05 11:12:01) OS: WinME (4.90.3000)
(9/26/05 11:12:01) Language: english
(9/26/05 11:12:01) Win-Path: C:\WINDOWS
(9/26/05 11:12:01) System-Path: C:\WINDOWS\SYSTEM
(9/26/05 11:12:01) Temp-Path: C:\WINDOWS\TEMP\
(9/26/05 11:12:21) Disinfection started
(9/26/05 11:12:21) Bad-Dll(IEP): (not found)
(9/26/05 11:12:21) Bad-Dll(IEP) in BHO: (not found)
(9/26/05 11:12:21) UBF: 4 - UBB: 5 - UBR: 25
(9/26/05 11:12:21) UBF: 4 - UBB: 5 - UBR: 25
(9/26/05 11:12:21) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(9/26/05 11:12:21) Stealth-String not found
(9/26/05 11:12:21) Not infected->END

...and the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:14:29, on 26/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\APPJJ.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\IPUF.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Class - {78794F02-430B-8A38-72A8-5935AC772E23} - C:\WINDOWS\WINKB32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [IPUF.EXE] C:\WINDOWS\SYSTEM\IPUF.EXE
O4 - HKLM\..\Run: [Cleanup] C:\WINDOWS\TEMP\200592119645_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [APPJJ.EXE] C:\WINDOWS\APPJJ.EXE /s
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\C0A1.TMP
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...576/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

I don't have an awful lot of stuff on the pc, except perhaps residue from the plethora of rememdies I tried for this thing infecting it ( :tazz: ), is there some way I can check if it's not enough available disc space that causes AboutBuster and Panda to not want to install properly?

Also a question, I know you probably can't say 100% for sure, but if I use Mozilla Firefox, will this thing be able to see stuff like credit card numbers and so on?

Thanks again.

Buggles.
  • 0

#8
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Notes
Ok, well the infection is there, we'll just have to kick it oldschool! :tazz:
and you are correct im not sure, but Firefox is you safer choice, and to the best of my knowledge these infections are just redirections, not info stealers.

Downloads
Download MWaveScan
  • Double-click mwav.exe and unzip it to its default Directory @ C:\Kaspersky
  • Locate "kavupd.exe" in the New Folder and Double Click to Update.
  • If it says the signatures are more than 30 days old, keep trying!
  • Keep trying until you get the actual signatures! (it will say "downloading yadda yadda yadda")
  • When you see "Updates downloaded Successfully, please press any key to continue" go ahead, but do not run anything else in this folder...

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Now go to the Kaspersky folder-> Locate and Double Click "mwavscan.com" to launch the MWAV Scanner!

Once opened-> Leave the Default Settings "ticked" and add a "tick" to"Drives"-> this will light up "All Drives"-> Add a "tick" to "Scan all Files"-> Click "Scan Clean" to begin!
This Scan may take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

1. Once the Scan has finished, All entries Identified as Infected will displayed in the lower pane! - Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!
2. Open a Blank Notepad Page and Paste the results (Ctrl+V) to it and Save it to your Desktop!


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ptpdu.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Class - {78794F02-430B-8A38-72A8-5935AC772E23} - C:\WINDOWS\WINKB32.DLL
O4 - HKLM\..\Run: [IPUF.EXE] C:\WINDOWS\SYSTEM\IPUF.EXE
O4 - HKLM\..\RunServices: [APPJJ.EXE] C:\WINDOWS\APPJJ.EXE /s
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\C0A1.TMP

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system\ptpdu.dll
C:\WINDOWS\WINKB32.DLL
C:\WINDOWS\SYSTEM\IPUF.EXE
C:\WINDOWS\APPJJ.EXE
C:\WINDOWS\TEMP\C0A1.TMP


Reboot your system in Normal Mode.


Please post a fresh HijackThis Log and the Results of the Mwav Scanner.
  • 0

#9
Buggles

Buggles

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, everything worked like a charm and I had no problems with downloads. I followed the directions step by step, thanks, it was clear enough even for me. Here are the results:

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 17:23:27, on 26/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [Cleanup] C:\WINDOWS\TEMP\200592119645_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...576/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

MwaveScan log:

File C:\WINDOWS\SYSTEM\IPUF.EXE infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\APPJJ.EXE infected by "Trojan.Win32.Agent.bi" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\oleext.dll infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\ptpdu.dll tagged as not-a-virus:AdWare.SearchPage. No Action Taken.
File C:\_RESTORE\TEMP\UNINSTIU.0 infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\ptpdu.dll tagged as not-a-virus:AdWare.SearchPage. No Action Taken.

I looked as carefully as I could for the files you mentioned, and the following ones I could not find in the HijackThis scan thing:

O4 - HKLM\..\Run: [IPUF.EXE] C:\WINDOWS\SYSTEM\IPUF.EXE
O4 - HKLM\..\RunServices: [APPJJ.EXE] C:\WINDOWS\APPJJ.EXE /s

After that, the following files were also missing, though I know you said they might be:

:\WINDOWS\WINKB32.DLL
C:\WINDOWS\SYSTEM\IPUF.EXE
C:\WINDOWS\APPJJ.EXE
C:\WINDOWS\TEMP\C0A1.TMP

Thanks again.

Buggles :tazz:
  • 0

#10
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts

File C:\WINDOWS\SYSTEM\IPUF.EXE infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\APPJJ.EXE infected by "Trojan.Win32.Agent.bi" Virus. Action Taken: File Deleted.

The Mwave scanner took care of those :)
were you able to find "C:\WINDOWS\SYSTEM\ptpdu.dll"
just to make sure, could you please open a command prompt and tpy the following:
attrib -s -r -h C:\WINDOWS\SYSTEM\ptpdu.dll Now hit enter
del C:\WINDOWS\SYSTEM\ptpdu.dll Now hit enter, then type Exit and enter again!


Congratulations Your Log is Clean!! :tazz:

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!


System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

1: Go to Start->Settings->Control Panel and double-click on the System icon.
2: On the Performance tab click File System.
3: Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows.
4:You may enable System Restore again by following the same steps as above except you should uncheck 'Disable System Restore'.


Preventative Measures

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?.

Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures

Edited by skate_punk_21, 26 September 2005 - 09:22 PM.

  • 0

#11
Buggles

Buggles

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yeeehaaa!!! :tazz: The PC is running like a dream, thank you. I'm using Explorer at the moment as I came here through th elink via the e-mail I got, but I think i'll be using Firefox in the future just to be safe.

To answer more specific questions:

Yes, I had deleted ptpdu.dll, fortunately I took notes as I completed the steps you showed me, and I could confirm that for sure.

I disabled System Restore.

I carefully read the 'how did I get infected...' page you referred me to, and took note of everything said there, downloaded what I was recommended to. Jason Levine's Browser Security Test didn't want to come up, but I'll try it later.

To sum up, I now have ie-spyad installed, and also:
AVG-free Antivirus
SpywareBlaster
AsquaredStartCentre
SpywareGuard
CleanUp40 (which I'll run once a week)
SpyBot Search & Destroy
CWShredder
Ad-Aware SE personal
Sygate Personal Firewall

I just realized that perhaps Asquared and AVG might clash, they're both antivirus thingies, aren't they? Please advise if you think I should discard one.

How can I ever thank you enough for your time and effort? If only I had a million dollars, I would donate it right away! Don't have that much, but I'll have to see what I can do to help this site stay available for others like me.

Bless you, my friend.

Regards

Buggles :)
  • 0

#12
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
a2 and avg, should be fine I wouldnt worry about those two.
Glad everything is working out so well
come back and visit (but not with malware :tazz: )
Calvin
  • 0

#13
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP