Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJ_AGENT.BM is giving me fits!


  • Please log in to reply

#1
cuhri

cuhri

    Member

  • Member
  • PipPip
  • 20 posts
Whenever I scan my PC with No-Adware, the same Trojan appears (10 times within my registry). I have been unable to remove this Trojan from my computer with No-Adware. It acts as if it has removed this Trojan but it has not.

Any ideas on how to remove this monster? I have Windows 98 and IE...and I'm "technologically challenged" (just to warn you).

Here's my hijackthis log.

Thanks guys!

Logfile of HijackThis v1.99.0
Scan saved at 3:16:24 PM, on 1/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSEF32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {6766C673-33DE-2B5A-5198-059261CA2F9E} - C:\WINDOWS\SYSTEM\MFCLP32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SYSEF32.EXE] C:\WINDOWS\SYSEF32.EXE
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please download "Service Filter" from here:

http://www.geekstogo...=download&id=41

Unzip the contents of the .zip file to a convenient location and follow the instructions below.


Double Click ServiceFilter.vbs to run it.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run, some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.

When the script finishes a wordpad doc should open with the unknown services listed in it. If the script could not access wordpad then you will see a message box telling you so, in that case you need to open POST_THIS.TXT by double clicking it. . Paste the contents back here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work

-=jonnyrotten=- :tazz:
  • 0

#3
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

Thanks for answering my request for help with TROJ_AGENT.BM.

Unfortunately, I am unable to open ServiceFilter.vbs...I get this message:

This script intended for Windows XP and 2000 only.

Any solutions for Windows 98?

Thanks!
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Oops, overlooked that :tazz: Try this:

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders:
Go to "Control Panel", "Folder Options", and click the "View" tab. Scroll down until you see "Show Hidden Files and Folders" and select it. Click ok.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jpotq.dll/sp.html#76985
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6766C673-33DE-2B5A-5198-059261CA2F9E} - C:\WINDOWS\SYSTEM\MFCLP32.DLL
O4 - HKLM\..\RunServices: [SYSEF32.EXE] C:\WINDOWS\SYSEF32.EXE
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Then delete the following files (if they exist):

C:\WINDOWS\system\jpotq.dll
C:\WINDOWS\SYSTEM\MFCLP32.DLL
C:\WINDOWS\SYSEF32.EXE
C:\PROGRAM FILES\FLASHGET

Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log you were asked to save earlier.

-=jonnyrotten=- :thumbsup:

I have a bad feeling that this fix isn't going to work ;) Keep your fingers crossed.
  • 0

#5
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

You are bloody brilliant! I did most of what you had mentioned, but AboutBuster gave me a "Database corrupt or missing" message. So I'll have to re-download that and run it in safe mode.

Ad-Aware is great! Blasted right through all that malware and cookies.

Thanks for all the fantastic support!

You've helped me slay many dragons tonight.

It's now after 2:00 am and I'm beat.

Again...many thanks for your support and patience.
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Glad to hear it! Lets double check another Hijack This log once more to make sure you're fully clean.

-=jonnyrotten=- :tazz:
  • 0

#7
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

My celebration was short lived as I ran AdAware again this morning and it came across 140 nasties. But that's better than the original 386! I know we have to take this clean up in baby steps.

I was finally able to run AboutBuster (twice) and saved the diagnostic log. Also re-ran HijackThis.

Here ya go...

Once again...thanks! Let me know how we're doing.

Scanned at: 9:08:33 PM on: 1/22/05


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.99.0
Scan saved at 9:10:39 PM, on 1/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ABOUTBUSTER\ABOUTBUSTER\ABOUTBUSTER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {CF6F38A7-F80D-E373-86BE-E07E89AC512D} - C:\WINDOWS\SYSTEM\ATLSM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SYSEF32.EXE] C:\WINDOWS\SYSEF32.EXE
  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Oops, you forgot the bottom of the Hijack This log. Lets get another. Don't worry we'll get ya all fixed up. :tazz:

-=jonnyrotten=- ;)
  • 0

#9
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Oops! Here it is, Jonny. Sorry for the inconvenience.

Logfile of HijackThis v1.99.0
Scan saved at 12:02:53 AM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSEF32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {CF6F38A7-F80D-E373-86BE-E07E89AC512D} - C:\WINDOWS\SYSTEM\ATLSM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SYSEF32.EXE] C:\WINDOWS\SYSEF32.EXE
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
  • 0

#10
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Naaw it's no inconvenience. Remove these entries with Hijack this:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {CF6F38A7-F80D-E373-86BE-E07E89AC512D} - C:\WINDOWS\SYSTEM\ATLSM.DLL
O4 - HKLM\..\RunServices: [SYSEF32.EXE] C:\WINDOWS\SYSEF32.EXE

Reboot into "Safe Mode" and delete the following files if found:

C:\WINDOWS\SYSTEM\ATLSM.DLL
C:\WINDOWS\SYSEF32.EXE

Reboot normally and post a new log. How are things running now?

-=jonnyrotten=- :tazz:
  • 0

Advertisements


#11
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

Did as you had suggested. Here's my HijackThis log.

Logfile of HijackThis v1.99.0
Scan saved at 2:16:36 PM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {A2255E37-74A4-DD4D-8C74-8315C2FFBEDA} - C:\WINDOWS\SYSTEM\IEPG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Looks like "R3 -Default URLSearchHook is missing" has come back uninvited. I'm ready to hire a bouncer at the front door of my computer (the back door too!).

Thanks again for checking this out. I feel like we are getting closer to ridding my machine of this mess.
  • 0

#12
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

Just to imform you. I've gone into my "Add/Remove Programs" to see what programs are there and it seems to me that there are some bad ones that need to be uninstalled.

Here's a list of what I have:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 5.0
Adobe Type Manager Deluxe 4.1
Agere Systems PCI Soft Modem
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HYDRAVISION
ATI Multimedia Center 8.6.0.0
BHA B's Recorder Gold 5.30
DAO
Epson Printer Software
Epson USB Printer Devices
esyndicate
FlashGet (JetCar)
HijackThis 1.99.0
Home Search Assitent
IE Host
MaxSpeed
Microsoft Office 2000 Premium
Microsoft Outlook Express 6
Microsoft Web Publishing Wizard 1.6
QuarkXpress 4.0
RealOne Player
Search Extender
SEP
Shopping Wizard
Sound Blaster AWE64
Spybot-Search & Destroy 1.3
Spware-Cop v 10.0
TSA
Web Offer
Wild Arcade
Windows Installer Clean Up

I've put the ones I suspect in bold. I don't know if this has anything to do with my problem, but I thought that I'd bring it to your attention.
  • 0

#13
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Definitely uninstall all of those and post a new log. Also, what is DAO?

-=jonnyrotten=- :tazz:
  • 0

#14
cuhri

cuhri

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey Jonny!

Did a bit of clean-up in my Programs. But I get the same error message for "Home Search Assitant", "Search Extender" and "Shopping Wizard" when trying to remove these 3.

Problem with Shortcut:

Unable to open "http://looking-for.c...Assistant.html"

Unable to open "http://looking-for.c...hExtender.html"

Unable to open "http://looking-for.c...ingWizard.html"

Think these bad boys may be running around together...a real triple threat.

Here's an explanation for DAO:

DAO (Data Access Objects) is an application program interface (API) available with Microsoft's Visual Basic that lets a programmer request access to a Microsoft Access database. DAO was Microsoft's first object-oriented interface with databases. DAO objects encapsulate Access's Jet functions. Through Jet functions, it can also access other Structured Query Language (SQL) databases.

Another website said that DAO had to do with Microsoft Office.

Web Offer refuses to budge...just no action when I try to remove it from Programs.

Finally got rid of WildArcade by deleting it...it had a block (Blaster Blocks) on the uninstall.

Here's my latest HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 11:59:30 PM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {A2255E37-74A4-DD4D-8C74-8315C2FFBEDA} - C:\WINDOWS\SYSTEM\IEPG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE /UninstPOP2 C:\Program Files\Web Offer
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Something tells me I'm becoming a geek! :tazz: Just saw "Web Offer" within the log!

I can never thank you enough for your help with this.
  • 0

#15
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.

Reboot into "Safe Mode".

Double-click on KillBox.exe. Check the box next to "Delete on Reboot" and copy and paste the following files into the "Full path of File to delete" box.

C:\WINDOWS\SYSTEM\IEPG.DLL
C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE


Now run Hijack This and remove the following entries.

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A2255E37-74A4-DD4D-8C74-8315C2FFBEDA} - C:\WINDOWS\SYSTEM\IEPG.DLL
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\SYSTEM\EZPOPSTUB.EXE /UninstPOP2 C:\Program Files\Web Offer

Now delete this folder:

C:\Program Files\Web Offer

Reboot and post a new log.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP