Jump to content


Photo

hijacked browser pop ups offline iexplorer problem


  • Please log in to reply
5 replies to this topic

#1 killak

killak

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 24 July 2004 - 10:38 PM

hey to all who read. thanks in advance. I read the Faq and i'm sorry to say ad-aware and spybot have not helped me. My problem is sometimes when I start up my computer after everything has finished loading out of nowhere iexplorer starts up, opening window after window until the computer crashes. Also in i-explorer tool-bars i didn't install appear, and finally pop up after pop up ad appears even offline. Plus when i try running other programs a message comes up that there is not enough memory to run the selected program. When pressing alt-ctrl-delete there are a number of things I don't think should be there. Thanks to these problems I can't enjoy my pc experience.

Logfile of HijackThis v1.98.0
Scan saved at 11:37:00 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LTCM000C.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\TWARNMSG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\S3TRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\FHCCALL.EXE
C:\WINDOWS\TEMP\BBH.EXE
C:\WINDOWS\UPTODATE.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
C:\WINDOWS\SYSTEM\OKQYLWP.EXE
C:\WINDOWS\SYSTEM\RINTIYC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QUIKSEARCH.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HPDLLHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\T2EPT32.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\APPLICATION DATA\SWCE.EXE
C:\WINDOWS\SYSTEM\ZPCTPB.EXE
C:\WINDOWS\SYSTEM\VDMIOEXCTL.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\PROGRAM FILES\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\MWGN.EXE
C:\WINDOWS\SYSTEM\HCTRLH.EXE
C:\WINDOWS\SYSTEM\PXT1C4.EXE
C:\PROGRAM FILES\SYSAI\SYSAI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?cxlow about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 27.0.0.1 www.theadultwire.com
O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {36AC6550-9112-7997-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\JQMVBEK.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\SYSTEM\ICDD7EE6.DLL
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\SYSTEM\IEL2CDE8.DLL
O2 - BHO: CBho404 Object - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\SYSTEM\WM41A398.DLL
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\WINRES.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\SYSTEM\LI01F948.DLL
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\SYSTEM\READDB40.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [fhccall] C:\WINDOWS\SYSTEM\FHCCALL.exe
O4 - HKLM\..\Run: [FHC] C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [WebInstall2] C:\PROGRAM FILES\CLIPGENIE\WEBINSTALL.EXE /R
O4 - HKLM\..\Run: [BBH] C:\WINDOWS\TEMP\BBH.EXE
O4 - HKLM\..\Run: [5RBGY#Y43AE4EW] C:\WINDOWS\SYSTEM\Qdxc4jKR.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [wdwvyx] C:\WINDOWS\wdwvyx.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\SYSTEM\okqylwp.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\rintiyc.exe
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\SYSTEM\IEL2CDE8.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\SYSTEM\ICDD7EE6.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\SYSTEM\LI01F948.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINDOWS\SYSTEM\QuikSearch.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\SYSTEM\WM41A398.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\SYSTEM\READDB40.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [DHELPD] C:\WINDOWS\SYSTEM\DHELPD.exe
O4 - HKLM\..\Run: [r35P36l] T2EPT32.EXE
O4 - HKLM\..\Run: [Ad-aware] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [HCTRLH] C:\WINDOWS\SYSTEM\HCTRLH.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pica] C:\WINDOWS\Application Data\swce.exe
O4 - HKCU\..\Run: [Zksttaf] C:\WINDOWS\SYSTEM\zpctpb.exe
O4 - HKCU\..\Run: [a0uFRWJ7T] VDMIOEXCTL.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini (file missing)
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 30 July 2004 - 08:09 AM

Hello Killak,

I found the two bad malware, Peper and CoolWebSearch, with number of others that should not be to hard to remove.

Please print this as it will help in following all the steps correctly.

First, download and run this Peper trojan uninstaller, making sure you're online while running it!:
Peper-uninstaller
Next download this uninstaller

Make sure all browsers and all Windows Explorer windows are closed, and run it.
*
When this is done, run AdAware. I know you have used it but want to make sure it's installed correctly.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL's
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

IMPORTANT
If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS file. This now creates a "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file! Even if you have it "locked" by [example] SpywareBlaster or Winpatrol. It does not return the attributes and renames the HOSTS file incorrectly to hosts.
Close AdAware.
*
Reboot, on restart, restart in "Safe Mode".

As the computer restarts, press and hold down the F8 key until the Windows startup menu appears.
Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.

Then, run that last uninstaller and AdAware again to fully remove the remnants.

Reboot normally.
*
Now let's take care of the CoolWebSearch.

Download CWShredder.exe CoolWebSearch removal tool from
http://www.spywarein.../CWShredder.exe

Place the download file in it's own folder.

Make sure all browsers and all Windows Explorer windows are closed.

Run the application and be sure to click on the "Fix" button.

When the scan is completed and all files removed, close it.
*

As a minimum security precaution, download SpywareBlaster and install it.
http://www.wildersse...areblaster.html

SpywareBlaster Tutorial.
http://www.bleepingc...showtutorial=49

I suggest you keep your internet activities to known and trusted sites until this is all fixed.
Other wise the culprits will come back.
*

I would like you to change the location of HijackThis.exe.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong and will prevent the tool placing shortcuts on your Desktop.

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the .exe file in it.

Submit a fresh log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 killak

killak

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 30 July 2004 - 08:45 PM

Hey Nasdaq thanks alot, however i've seen no improvement in the pop ups, and toolbars are still in iexplorer. here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 9:45:26 PM, on 7/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LTCM000C.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\TWARNMSG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\S3TRAY.EXE
C:\WINDOWS\SYSTEM\FHCCALL.EXE
C:\WINDOWS\TEMP\BBH.EXE
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
C:\WINDOWS\SYSTEM\OKQYLWP.EXE
C:\WINDOWS\SYSTEM\RINTIYC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QUIKSEARCH.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HPDLLHOST.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\AVIFIL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\APPLICATION DATA\SWCE.EXE
C:\WINDOWS\SYSTEM\ZPCTPB.EXE
C:\WINDOWS\SYSTEM\AWKLE32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\WINDOWS\SYSTEM\MMGR32C.EXE
C:\PROGRAM FILES\SYSAI\SYSAI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
O1 - Hosts: 27.0.0.1 www.theadultwire.com
O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {36AC6550-9112-7997-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\JQMVBEK.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\PLG0\APROPOSPLUGIN.DLL
O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\SRCHFST.DLL
O2 - BHO: CBho404 Object - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\SYSTEM\ICDD7EE6.DLL
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\SYSTEM\IEL2CDE8.DLL
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\SYSTEM\WM41A398.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\SYSTEM\LI01F948.DLL
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\SYSTEM\READDB40.DLL
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\SRCHFST.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [fhccall] C:\WINDOWS\SYSTEM\FHCCALL.exe
O4 - HKLM\..\Run: [FHC] C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [WebInstall2] C:\PROGRAM FILES\CLIPGENIE\WEBINSTALL.EXE /R
O4 - HKLM\..\Run: [BBH] C:\WINDOWS\TEMP\BBH.EXE
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [wdwvyx] C:\WINDOWS\wdwvyx.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\SYSTEM\okqylwp.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\rintiyc.exe
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\SYSTEM\IEL2CDE8.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\SYSTEM\ICDD7EE6.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\SYSTEM\LI01F948.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINDOWS\SYSTEM\QuikSearch.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\SYSTEM\WM41A398.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\SYSTEM\READDB40.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [DHELPD] C:\WINDOWS\SYSTEM\DHELPD.exe
O4 - HKLM\..\Run: [Ad-aware] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [r35P36l] AVIFIL32.EXE
O4 - HKLM\..\Run: [MMGR32C] C:\WINDOWS\SYSTEM\MMGR32C.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pica] C:\WINDOWS\Application Data\swce.exe
O4 - HKCU\..\Run: [Zksttaf] C:\WINDOWS\SYSTEM\zpctpb.exe
O4 - HKCU\..\Run: [a0uFRWJ7T] AWKLE32.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 31 July 2004 - 10:34 AM

Hi Killak,

You fixed the Peper and ran the CoolWebsearch malware, great!
This removed 15 bad entries. There are others that I have investigated and needs to be removed.
But 4 more baddies were added in your second log. Do the following as I suspect that you have something more insidious that will have to deal with later.

Again please print this as it will be a long process.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below if they are still present
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?cxlow about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?cxlow (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll

O1 - Hosts: 27.0.0.1 www.theadultwire.com
O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {36AC6550-9112-7997-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\JQMVBEK.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\SYSTEM\ICDD7EE6.DLL
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\SYSTEM\IEL2CDE8.DLL
O2 - BHO: CBho404 Object - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\SYSTEM\WM41A398.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\SRCHFST.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\SYSTEM\LI01F948.DLL
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\SYSTEM\READDB40.DLL
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\SRCHFST.DLL
O4 - HKLM\..\Run: [fhccall] C:\WINDOWS\SYSTEM\FHCCALL.exe
O4 - HKLM\..\Run: [FHC] C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [WebInstall2] C:\PROGRAM FILES\CLIPGENIE\WEBINSTALL.EXE /R
O4 - HKLM\..\Run: [BBH] C:\WINDOWS\TEMP\BBH.EXE
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [wdwvyx] C:\WINDOWS\wdwvyx.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\SYSTEM\okqylwp.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\rintiyc.exe
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\SYSTEM\IEL2CDE8.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\SYSTEM\ICDD7EE6.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\SYSTEM\LI01F948.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\SYSTEM\WM41A398.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\SYSTEM\READDB40.DLL,EnableRunDLL32
O4 - HKLM\..\Run: [DHELPD] C:\WINDOWS\SYSTEM\DHELPD.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKCU\..\Run: [Zksttaf] C:\WINDOWS\SYSTEM\zpctpb.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
04 - HKLM\..\Run: [r35P36l] AVIFIL32.EXE
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe


I did find one OPTIONAL item the Download Accelerator - DAP which is not technically malware, but it may include malware and allow it into your system. You can find safer
alternatives here: http://www.spywarein...at=dlman#dlman
Remove at your discretion.

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

*
Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
*
Next, reboot, on restart, restart in "Safe Mode".

How To
http://service1.syma...src=sec_doc_nam

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Also, Delete/Empty your Temporary Internet Cache completely
How To: and with most operating system.
http://www.mvps.org/...02/delcache.htm

Remove all folder/files in BOLD if still present.

C:\WINDOWS\BXXS5.DLL <-- File only
C:\WINDOWS\UPTODATE.EXE <-- File only
C:\WINDOWS\wdwvyx.exe <-- File only
C:\WINDOWS\srchupdt.exe <-- File only
C:\WINDOWS\SRCHFST.DLL <-- File only
C:\WINDOWS\SYSTEM\MMGR32C.EXE <-- File only
C:\WINDOWS\SYSTEM\DHELPD.exe <-- File only
C:\WINDOWS\SYSTEM\READDB40.DLL <-- File only
C:\WINDOWS\SYSTEM\LI01F948.DLL <-- File only
C:\WINDOWS\SYSTEM\INETP60.DLL <-- File only
C:\WINDOWS\SYSTEM\IEL2CDE8.DLL <-- File only
C:\WINDOWS\SYSTEM\ICDD7EE6.DLL <-- File only
C:\WINDOWS\SYSTEM\JQMVBEK.DLL <-- File only
C:\WINDOWS\SYSTEM\FHCCALL.EXE <-- File only
C:\WINDOWS\SYSTEM\OKQYLWP.EXE <-- File only
C:\WINDOWS\SYSTEM\RINTIYC.EXE <-- File only
C:\WINDOWS\SYSTEM\ZPCTPB.EXE <-- File only
C:\WINDOWS\SYSTEM\STLBDIST.DLL <-- File only
C:\WINDOWS\SYSTEM\HPDLLHOST.EXE <-- File only
C:\WINDOWS\SYSTEM\WM41A398.DLL <-- File only
C:\WINDOWS\TEMP\BBH.EXE <-- File only
C:\WINDOWS\UPTODATE.EXE <-- File only
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE <-- Folder and all files
C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE <-- Folder and all files
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE <-- Folder and all files
C:\PROGRAM FILES\SYSAI\SYSAI.EXE <-- Folder and all files
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE <-- Folder and all files
C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL <-- Folder and all files
C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe <-- Folder and all files
C:\PROGRAM FILES\CLIPGENIE\WEBINSTALL.EXE <-- Folder and all files
C:\PROGRAM FILES\TV MEDIA\TVM.EXE <-- Folder and all files

OPTIONAL if you have removed Download Accelerator - DAP.
C:\PROGRA~1\DAP\dapextie.htm <-- Folder and all files
*
Reboot

Let's see if anything has been left behind.
  • Download the latest version of Spybot from either:
  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems."
Close the application.
*
Follow up with an online AV scan at any of the following:

Panda's Active Scan
http://www.pandasoft...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/v.../virusscan.aspx

If any infected files are found, delete them.
*

Check also for Trojan Horses or also often called Backdoors opens you PC from inside for attackers. Use any of the following:

TrojanHunter
http://www.computerc.../reviews-8.html

a2 Scanner
http://www.emsisoft..../software/free/

Trojan Remover
http://www.simplysup...r/download.html
*
You are not presently running the latest copy of Internet Explorer (The SP 1 version).
I suggest you get it from this site: http://v4.windowsupdate.microsoft.com/ and follow the intructions for the download. When installed return to the site and install all of the latest security patches that will protect your computer much better then IE 5.

Internet Explorer SP1. and all updates to February 2004 are included in this free CD from Micorsoft. If you have a slow connection or are not pressed for time you can order it and install later. You must use the update site for any updates issued after that date.
How to obtain and use the Windows Security Update free CD (February 2004)
http://support.micro...om/?kbid=833242
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051
*
Run HijackThis and post a fresh log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 killak

killak

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 31 July 2004 - 11:07 PM

hey Nasdaq. thanks a lot for everything. I guess all is once again good with my pc.
Well thats for you to decide , Here is the log :

Logfile of HijackThis v1.98.0
Scan saved at 12:06:58 AM, on 8/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LTCM000C.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\TWARNMSG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\QUIKSEARCH.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\AVIFIL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\APPLICATION DATA\SWCE.EXE
C:\WINDOWS\SYSTEM\AWKLE32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuikSearch] C:\WINDOWS\SYSTEM\QuikSearch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [r35P36l] AVIFIL32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pica] C:\WINDOWS\Application Data\swce.exe
O4 - HKCU\..\Run: [a0uFRWJ7T] AWKLE32.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 01 August 2004 - 06:55 AM

Hi Killak,

You did well on a complex and long issue.

Just a few things to fix.

Again please print this as it will be a long process.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below if they are still present
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [a0uFRWJ7T] AWKLE32.EXE
O4 - HKLM\..\Run: [r35P36l] AVIFIL32.EXE


In safe mode removed these two files

C:\WINDOWS\SYSTEM\AWKLE32.EXE
C:\WINDOWS\SYSTEM\AVIFIL32.EXE
*
That should do it.
*
Make sure you read my protection speech.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button