Jump to content


Photo

ads234.com, and other pesky parasites


  • This topic is locked This topic is locked
6 replies to this topic

#1 terrapins

terrapins

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 02:30 AM

Hey all,

I've been battling ad/spyware for sometime now, using Ad-aware, Spybot, and Norton Antivirus to destroy these headaches. Now, I get redirects from ads234.com and pops from about: blank. Below is my HijackThis Log....please help!


Logfile of HijackThis v1.98.0
Scan saved at 3:15:33 AM, on 7/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\EPOAGENT\NAIMAS32.EXE
C:\EPOAGENT\NAIMAG32.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\NUVZAATN.EXE
C:\WINDOWS\TEMP\BAQU.EXE
C:\WINDOWS\WOVAX.EXE
C:\WINDOWS\SYSTEM\IMAIR32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\IOSRCL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMDIAG.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_DIRECTOR.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TDMENGINE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINDOWS\SYSTEM\flxd.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [NaimAgent_Service] C:\EPOAgent\naimas32.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [Lotus Sametime Connect] C:\PROGRAM FILES\LOTUS\SAMETIME CLIENT\CONNECT.exe
O4 - HKLM\..\Run: [ctmd] C:\WINDOWS\ctmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Nuvzaatn.exe] C:\WINDOWS\TEMP\NUVZAATN.EXE
O4 - HKLM\..\Run: [Baqu.exe] C:\WINDOWS\TEMP\BAQU.EXE
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [q63h36V] IMAIR32.EXE
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [bxsnRWZ7O] IOSRCL32.EXE
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [bxsnRWZ7O] IOSRCL32.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://eproject.flowserve.com/qp2.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 205.171.3.65,205.171.2.65

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 30 July 2004 - 04:34 AM

Hi,
First thing to do is ...

Update Ad-aware's Reference File: instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure.

Next:

Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Options or Folder Options. Click the View tab.

In the Advanced settings box, under the "Hidden files" folder
Uncheck: "Hide file extensions for known file types"
Select: "Show all files" Ok the prompt
Click Apply, and then click OK.

Next:

Close all open programs and browsers, rescan with HijackThis.
Place a check in each of the following then click "Fix checked".

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINDOWS\SYSTEM\flxd.dll (file missing)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL
O4 - HKLM\..\Run: [ctmd] C:\WINDOWS\ctmd.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Nuvzaatn.exe] C:\WINDOWS\TEMP\NUVZAATN.EXE
O4 - HKLM\..\Run: [Baqu.exe] C:\WINDOWS\TEMP\BAQU.EXE
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [q63h36V] IMAIR32.EXE
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKCU\..\Run: [bxsnRWZ7O] IOSRCL32.EXE
O4 - HKCU\..\RunServices: [bxsnRWZ7O] IOSRCL32.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Open Windows Explorer to C:\Windows\Temp
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\SYSTEM\IMAIR32.EXE <--this file
C:\WINDOWS\WOVAX.EXE <--this file
C:\WINDOWS\SYSTEM\IOSRCL32.EXE <--this file
C:\WINDOWS\ctmd.exe <--this file
C:\WINDOWS\SYSTEM\automove.exe <--this file
C:\WINDOWS\wovax.exe <--this file
C:\WINDOWS\aqadcup.exe <--this file
C:\WINDOWS\SYSTEM\ms.exe <--this file
IOSRCL32.EXE <--this file
Note: locate "IOSRCL32.EXE" via Start > Search > Advanced Options
C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI <--this folder
C:\PROGRAM FILES\COMMON FILES\MIDADDLE <--this folder
C:\Program Files\Common Files\slmss <--this folder
C:\installer <--this folder

While still in Safe Mode, run Ad-Aware and fix everything it finds.

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 terrapins

terrapins

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 07:23 AM

Thank you so much for replying! Following your instructions - just one quick question:

In Safe Mode you said to delete the entire contents of the folder C:\Windows\Temp, but that folder has contents such as Excel8.0, Word8.0, and Ppt8.0. Is it ok to delete such items? I was wondering if you meant the the temporary internet files folder instead??

Thanks in advance!

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 30 July 2004 - 08:50 AM

Hi,

Is it ok to delete such items?

Yes .. that's why it's a "temp" folder ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 terrapins

terrapins

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 11:00 AM

Followed all the steps and here's my new HijackThis log...(things seem to to be running smooth so far :-)...many thanks indeed!


Logfile of HijackThis v1.98.0
Scan saved at 11:54:55 AM, on 7/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\EPOAGENT\NAIMAS32.EXE
C:\EPOAGENT\NAIMAG32.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [NaimAgent_Service] C:\EPOAgent\naimas32.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [Lotus Sametime Connect] C:\PROGRAM FILES\LOTUS\SAMETIME CLIENT\CONNECT.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://eproject.flowserve.com/qp2.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 205.171.3.65,205.171.2.65

#6 terrapins

terrapins

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 11:14 AM

ugh...spoke too soon...Hotmail...and AIM Express still don't work...when they try to open I get the "This page cannot be displayed" deal....

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 October 2004 - 04:38 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button