Jump to content


Photo

ATTENTION ANYONE WITH C:\\SPAD


  • Please log in to reply
45 replies to this topic

#1 NYY4LIFE

NYY4LIFE

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 26 May 2004 - 09:05 PM

If you are infected with this, look in your C drive and see if there is a folder called spad....Somehow i happened to stumble accrossed it, and i deleted it, and i now have no problems....very very weird...Ill update if it reoccures, but so far it hasnt...

Edited by NYY4LIFE, 26 May 2004 - 09:06 PM.


#2 portillok

portillok

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 26 May 2004 - 09:11 PM

Thanks...found the folder, I'll let you know if my pops back up

#3 portillok

portillok

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 26 May 2004 - 09:52 PM

I haven't had any more pop ups asking to change my browser. I did run Hijacker again after I deleted the folder and did see that crap in there. I scanned and fixed and am still crossing my fingers.

Kelly

#4 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 10:01 AM

THANK GOODNESS!!!!!!!!!! Deleting this file seemed to do the trick for me. I was starting to get the feeling I'd be waiting for days to get someone to respond to my email (so many people with similar problems, etc.) so I really appreciate you sharing this advice. My computer seems to be clear of it even after a reboot so I'm keeping my fingers crossed that this issue is resolved! THANK YOU, THANK YOU, THANK YOU!

#5 NYY4LIFE

NYY4LIFE

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 27 May 2004 - 11:41 AM

very welcome

#6 neat

neat

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 11:47 AM

It seems to worked! After I deleted the folder I opened the browser and got a message "could not find c:\spad\start.html" I clicked ok and a blank browser opened. I tried to open internet options under tools but for some reason it would not open so I opened properties on the desktop icon. The start page still showed c:\spad\start.html I simply replaced that with my original start page. Seems to have worked. Thanks!

#7 NYY4LIFE

NYY4LIFE

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 27 May 2004 - 12:38 PM

is there any way an expert member could re-write this and make it a sticky...i see a lot of people with this problem....and if i wasnt lucky enough to stumble onto that folder, i would have been on this site for days trying to get it to go away....

#8 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:42 PM

well there is more to it than that.. It may be a workaround but the dll is still running. It may be a matter of time before it redownloads and reinfects you.



#9 latrell_atk

latrell_atk

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 May 2004 - 12:43 PM

you're the man heheh its solved!

hey lets bump it up until everyone sees it!

#10 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:48 PM

This is the way it should be fixed.

copy the contents of the quote box to notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]


hit file/save as

give it the name clear.reg
under the filename change save as type to all files.
save it to the desktop.
close notepad.
Double click clear.reg
when asked to merge say yes.

Reboot.

Delete these two files:
C:\\DOCUMEnts and settings\(username)\LOCAL Settings\Temp\HPCMDTY.DLL
C:\WINDOWS\System32\c_10230.dll
c:\spad(whole folder)


Then load up hijackthis and fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage

please post a new hijackthis log when done.

Edited by shadowwar, 27 May 2004 - 12:49 PM.




#11 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 12:50 PM

shadowwar -- that is what i am afraid of -- however a quick fix right now is certainly a welcome, albeit temporary, solution while i wait for someone to offer me an "official" response! looking forward to a *complete* solution.

#12 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 12:52 PM

you must have been replying at the same time -- can't wait to try this and get it all cleared up! (although my own highjack this log has not been replied to).

#13 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:52 PM

That is an Official Solution. :) I am an expert in this.. trust me i have the sample files and the registry entries this thing creates.



#14 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 12:55 PM

yours was the official solution i was looking for -- however, its not in reply to my own hijackthis log -- can i still use it as a solution?

#15 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 12:59 PM

Yes it should work for all.. Its still so new yet to be 100% sure but it should fix everyone. The regmerge cant do any harm to its safe to do.



#16 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 01:02 PM

hmmm ... i can't get my notepad program to open up? wouldn't have anything to do with this problem with it?

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 01:05 PM

yes actually it would.

It uses the notepad overwrite to install itself.

here is how to fix for XP only

xp has two copies of notepad.exe
one in windows
one in windows/system32

copy the one from windows(it should be 64.5kb)

to windows\system32

then go to start/all programs/accessories/ and right click the notepad entry

the target line should have this:

%SystemRoot%\system32\notepad.exe

the startin line should have this:

%HOMEDRIVE%%HOMEPATH%

change it if they dont.
hit apply than ok.

That should take care of it.



#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 01:16 PM

i still need to confirm file locations on 98 or me operating systems.



#19 red_leader

red_leader

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 May 2004 - 01:39 PM

Thanks a million! Worked for me too in XP, altho it left a little trace .dat file called "urlcli" with 13KB...should I be worried about this?

#20 banpei

banpei

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 May 2004 - 01:49 PM

I had exaclty the same, but my system lacked the c_10230.dll. I found a suspicious crt32_v2.dll and a crt2_v32.dll both dated a few days ago in the tempfolder of one of the users of my system.

Did exaclty as Shadowwar told us to do, except remove all crt* files from the system32 dir and it looks like it has been fixed for now. Think i'll apply the MS patch asap.

Thanks! I'll definetly bookmark this forum since it has been a great help and gave me insight in hijacks! ;)

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 02:17 PM

the files that you found are alternate names to the c_10230.dll

crt32_v2.dll and a crt2_v32.dll

They should be appromately 20kb in size.



#22 evenmary17

evenmary17

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 May 2004 - 02:24 PM

I don't seem to have a copy of notepad in windows -- only in windows/system 32 -- when i check the properties of it, both the target line and startinline all have the correct info -- but when i try to open the program it says

"The drive or network connection that the shortcut 'Notepad.Ink' refers to is unavailable. Make sure the disk is properly inserted or the network resource is available then try again."

I am a virtual moron at this stuff -- so any help would be appreciated!

#23 notee2

notee2

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 04:33 PM

Whew, I can post.

I deleted the "C:\\SPAD" file like the original poster, and others, have done. So far, so good. but...

Seeing this post, I went further and attempted to use shadowwar's instructions for a permanent solution (no problems with notepad arose, and I am using XP). Unfortuntely, small problems.

1) No "merge" message, only adding to the registery. Added, rebooted. Ok or problem?

2) The two files "C:\\DOCUMEnts and settings\(username)\LOCAL Settings\Temp\HPCMDTY.DLL" and "C:\WINDOWS\System32\c_10230.dll"
are not there, nor are "crt32_v2.dll and a crt2_v32.dll", nor any other .dlls in those locations.
Good or bad?

3) Should those instructions only be used (effectively or relatively safe/dangerous) when this "C:\\SPAD" is still causing problems?

or 4) Too much to ask in someone else's post?

Thank you, and please forgive a new user if it is 4) - say so, and I will ask as a seperate topic. This just seemed the authoriative thread on the subject.

Edited by notee2, 27 May 2004 - 04:36 PM.


#24 hfs991hfs

hfs991hfs

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 May 2004 - 12:41 AM

Ok, I can't find this "HPCMDTY" file, but I can find the other dll....

#25 StupidHijackers

StupidHijackers

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 28 May 2004 - 01:14 AM

yeah same too with notee2's questions

#26 StupidHijackers

StupidHijackers

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 28 May 2004 - 01:15 AM

only im using windows 98 SE

#27 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 09:22 AM

If you can find the file make sure you are showing hidden files and folders.. If you cant still find them then dont worry about it. As long as the registry merged and it told you sucessfull you should be fine.



#28 mulangi

mulangi

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 28 May 2004 - 09:28 AM

Yes it should work for all.. Its still so new yet to be 100% sure but it should fix everyone. The regmerge cant do any harm to its safe to do.

Hi Shadowwar,
Is there a name for this thing yet?
Thanks
-M-

#29 notee2

notee2

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 May 2004 - 01:29 PM

My hidden files & folders are visible, so I guess I'm fine on this one. Thank you very much for your help, shadowwar!

#30 StupidHijackers

StupidHijackers

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 29 May 2004 - 03:23 AM

thanx shadowwar hope this works :) anyway I have a question can I delete the clear.reg file on my computer after I had merged it(its showing on my desktop)

#31 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:02 AM

yes



#32 chinaboytyson

chinaboytyson

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 May 2004 - 05:10 AM

Here is my hijack this log. I hope I did this right.
I've been trying for weeks to get rid of this, and other spyware crap which is not only disturbing, but seems to also slow down my computer. I did what you said creating that notepad file and tried to delete the stuff using hijack this. please give me feedback.... thanks

Logfile of HijackThis v1.97.7
Scan saved at 3:04:48 AM, on 31/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [cdknchgl] C:\WINDOWS\cdknchgl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [FinishSetup] rundll32 "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe",Check
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab

#33 Asrael

Asrael

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 May 2004 - 01:55 PM

Shadowwar, you're a godsend!

I followed your simple instructions step by step, but this problem was still not fixed. However, after checking my hijackthis log, I noticed that I also had the following near the end between O9 and O16:

O13 - DefaultPrefix: http://www.myexexex....p?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex....p?said=pfxp&qq=

I went ahead and fixed these as well, and now my Internet Explorer is working like a charm! Not to mention that everything seems to run a bit faster as well.

FYI - I deleted the C:/spad folder last week when this first happened. Just this morning is when things really got hairy, and I kept getting myexexex.com every time I typed an address into the address bar. The first thing I did was run a virus scan and found a Trojan named Exploit-ByteVerify.

Taken from McAfee.com, the following was stated about Indications of Infection:

"There are no obvious signs of infection. AVERT has received field samples that use this exploit to create a registry script file, and merge it into the system registry. This script simply altered the default start page of Internet Explorer."

It sounds like there could be a connection between this trojan and the myexexex.com problem.

Just wanted to give you a heads up. The more information the better.

Thanks again, Shadowwar. You've made my life a little easier!

#34 gogeta_irv

gogeta_irv

    Member

  • New Member
  • Pip
  • 3 posts

Posted 31 May 2004 - 04:01 PM

I got this spad spyware on the 27th of may and I deleted the spad folder.

However, the problem changes now. I don't have my browser hijacked, but the page I am viewing will redirect to www.myexexex.com randomly. (When I submit this post, I am actually risking another hijack, if you know what i mean)

Things are getting very frustrating as I don't know whats wrong with my log. Please anyone, help me get rid of this dirt in my computer.

Below is my log file:
Logfile of HijackThis v1.97.7
Scan saved at 4:26:58 AM, on 1/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\EZBUTTON\CP888M1.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WIRELESS\CLIENT MANAGER\CMAGS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.singnet.com.sg
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SingNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = "C:\WINDOWS\SYSTEM\inetsrv\iisadmin\publish\jsbrowser\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\inetsrv\iisadmin\publish\jsbrowser\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EZBUTTON\CP888M1.EXE
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\SYSTEM\E_SICN03.EXE /A "C:\WINDOWS\SYSTEM\E_S7363.TMP"
O4 - Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CMAGS.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: ViaNet (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.singnet.com.sg
O16 - DPF: Visual Studio 6 Extensibility Libraries -
O16 - DPF: Microsoft WFC Forms Designer -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7912.1082407407
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab

#35 arjay

arjay

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 May 2004 - 04:19 PM

hey, thanks for the removal instructions!

i couldn't find the "HPCMDTY.dll" file in the "C:\documents and settings\(username)\LOCAL Settings\Temp\" folder but i found it in "C:\WINDOWS\System32\" folder!

well just thought i would help anyone who had this issue!
thanks again!

#36 sbaer

sbaer

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 June 2004 - 01:22 AM

yes actually it would.

It uses the notepad overwrite to install itself.


I'm just trying to understand the infection process. From what you say above, am I correct to say that during the infection process, NOTEPAD.EXE is modified or replaced with a modified version that is then used to re-infect the host each time it's executed?

I'd really appreciate it if you are able to provide a detailed explanation about this threat as there is not much information out there about it.

Many Thanks

#37 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 June 2004 - 06:57 AM

Hi there,

I've been infected with the c:\\spad thing as well recently. Yesterday I did shadowwar's fix, all seemed okay. Until about an hour ago, I went to click a link on a website and it took me straight to that myexexex.com site :unsure:

SO...I ran HiJackThis, and there's nothing that I can see relating to the spad or myexexex. I also checked for the spad folder, wasn't there.

When I tried the fix btw, I did not find the HPCMDTY.dll file nor the c_10230.dll one.

What to do?! :gasp:

Any help would be greatly appreciated!!

Thanks

Edited by LittleMissMoo, 01 June 2004 - 06:59 AM.


#38 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 01 June 2004 - 07:02 AM

Please start your own post and Post a hijackthis log please.



#39 CaptainCrazy

CaptainCrazy

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 June 2004 - 07:22 PM

Hello all, this is my first time posting here because my dad got this exact same browser hijacker today. When I did a google search there was only 3 sites related to the myxexexe hijacker and this is the best solution so far but I would like to add some additonal info about which registry entries to fix/check using hijackthis program:

Myexexex doesn't always make the same reg entries as shown in your example and you must fix/check all registry entries that contain myexexex somewhere in the name. There were about 4 entries that hijackthis picked up on my dad's system that weren't shown on this forum. So if you fix/check them all and follow the original steps, it should work.

PS: thanks for the help, it kept me from reinstalling IE and uninstalling Kazaa, although we might have to later, since it seems to be linked to some versions of the free Kazaa.

#40 stahly

stahly

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 June 2004 - 07:54 AM

okay i got this too, and ran all the fixes and i am still infected with this. didnt see anyone else post any info about what i notice, but if you got XP run your task manager when you get redirected to the exexex page, i notice i am always getting new *.dat processes running. these files are created once the redirect happens. they are located in the following folder:

C:\Documents and Settings\UserName\Local Settings\Temp

#41 parputt

parputt

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 June 2004 - 07:08 AM

I've run most all recommended solutions to rid my computer of Myexexex and still it returns. Usually a day or two from the time I have run the registry fix. After running Shadowwar's recommendation for the second time, none of the files that were to be deleted were there.

Any new suggestions?

#42 stahly

stahly

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 08:14 AM

i also just noticed, that it adds the following 2 entries to your trusted internet zones...

http://www.myexexex.net
http://www.mt-download.com

i keep getting the same things everyone else is getting. i even tried to make a a dummy winwildapp.exe, but it keeps getting overwritten. i use spyware blaster, it adds websites to the restricted sites in IE's security options, i added the 2 above manually to see if this might help it from reloading this crap everytime it goes to the page...

#43 nhhockeynut

nhhockeynut

    Member

  • New Member
  • Pip
  • 1 posts

Posted 09 June 2004 - 07:27 AM

okay i got this too, and ran all the fixes and i am still infected with this. didnt see anyone else post any info about what i notice, but if you got XP run your task manager when you get redirected to the exexex page, i notice i am always getting new *.dat processes running. these files are created once the redirect happens. they are located in the following folder:

C:\Documents and Settings\UserName\Local Settings\Temp

okay i got this too, and ran all the fixes and i am still infected with this. didnt see anyone else post any info about what i notice, but if you got XP run your task manager when you get redirected to the exexex page, i notice i am always getting new *.dat processes running. these files are created once the redirect happens. they are located in the following folder:

C:\Documents and Settings\UserName\Local Settings\Temp


I have seen the same issue. The new .DAT files for me were: gahd.dat, nhbc.dat, and iglc.dat. gahd.dat was running in system processes. I discovered it when my firewall asked for permission for gahd.dat to access the internet, which I refused. I had already applied the fix as per Shadowwar two days ago.

The question is, where else is this hiding? Obviously there is something else that is related that is creating these .dat files. I scanned my registry for myexexex and spad with no keys or entries found.

Any ideas?

Steve

#44 Wilco

Wilco

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 June 2004 - 12:45 PM

In following the advice on another thread I booted up my XP based PC in safe mode and ran virus scan. It came across this in the C:\Documents and Settings\<user name>\Application Data directory:

VVSN_CLIC0404Inst.exe Adware-SaveNow :techsupport:

I removed it and have yet to see the problem re-occur. No promises but most promising thing I've tried so far.

Good luck!

_-= Wilco =-_

:weee:

#45 peter61

peter61

    Member

  • New Member
  • Pip
  • 1 posts

Posted 13 June 2004 - 03:08 PM

I have problem of web page switching to www.myexexex.com. when I run Adaware it removes the registry entries that causes this and also a file AAHH.exe in the C:\Documents and Settings\<user name>\Application Data directory:

But after a while the aahh.exe file is recreated in same directory. so there must be another program created it again after it is gone. I've tried running AVG virus scan in safe mode but doesn't run in safe mode. I used hijackedthis but only temporarily fixes problem. it seems we need to find program that recreates aahh.exe after we temporarily fix problem. Any suggestions.

#46 stahly

stahly

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 June 2004 - 05:38 PM

okay i did a couple of things in safe mode, ran NAV 2004, Adaware, spybot, & the latest cwshredder. the latest cwshredder found & fixed something. it was the very last thing on its list. and so far i havent had the page come back.

also i deleted all the *.dat files & the winwildapp.exe from the following folder:
C:\Documents and Settings\*Username*\Local Settings\Temp

and for IE: i deleted all cookies, temp files and cleared history. and i added the following 2 pages to restricted sites (see SpywareBlaster for more details):
http://www.myexexex.net
http://www.mt-download.com

and so far i havent had the problem return, but i am not sure exactly where the exact program resides...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button