Jump to content


Photo

Spyware Programs won't go away.


  • Please log in to reply
5 replies to this topic

#1 jrshine360

jrshine360

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 June 2004 - 07:26 PM

I cannot get my system clean. It is running very slow and every time I reboot there are still 5 or 6 programs running that I don't recognize. I've ran adware, hi jack this, and spybot S&D along with CWshredder. Still no luck. I have logs of these but I don't understand which files to delete. Any help would be graetly appreciated. I have read your FAQ and have tried to stick by the guidelines of this forum. Thanks again.
Jrs

#2 jrshine360

jrshine360

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 June 2004 - 10:02 PM

Sorry I forgot to post my Hi Jack This log file. Here it tis.


Logfile of HijackThis v1.97.7
Scan saved at 6:21:11 PM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\BPC9JNP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WKV9063.EXE
C:\WINDOWS\SYSTEM\FBF0KHC.EXE
C:\MY SHARED FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - F:\DATA\WEST GROUP\CITELINK\CLIE\CLIE.DLL (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YKGPPRX9H.EXE] C:\WINDOWS\TEMP\YKGPPRX9H.EXE
O4 - HKLM\..\Run: [vbxrcmhyxusl] C:\WINDOWS\SYSTEM\fprqyd.exe
O4 - HKLM\..\Run: [38RTWGS3AH8264] C:\WINDOWS\SYSTEM\Unpv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [AutoLoadero8vz1IJkPIZL] "C:\WINDOWS\SYSTEM\NWLSVINN.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [on4P36U] NWLSVINN.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [ZCvFRWYmU] BPC9JNP.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.micro...x86/ielabel.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcaf...an/mgavinst.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcaf...ng/mcsmtshp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/p...r/v7/ticker.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...d/mcinstall.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...v9.5/ticker.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} (McAfee.com Component Download Manager Class) - http://download.mcaf...c/CDM/McCDM.cab
O16 - DPF: WG3Client - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3clnt.cab
O16 - DPF: WG3Swing - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3swing.cab
O16 - DPF: WG3Images - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3img.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8152.5841666667

#3 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 14 June 2004 - 11:04 PM

Hi there
You have picked up the Peper trojan. To remove it, can you please download the PeperFix tool,
  • save it to your desktop,
  • close all browsers and doubleclick the peperfix.exe icon
  • click 'Find and Fix' and reboot if prompted
Please place a check in the following entries and ensure all IE browsers and windows explorers are closed, then have hijack fix them:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - F:\DATA\WEST GROUP\CITELINK\CLIE\CLIE.DLL (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)

O4 - HKLM\..\Run: [YKGPPRX9H.EXE] C:\WINDOWS\TEMP\YKGPPRX9H.EXE
O4 - HKLM\..\Run: [vbxrcmhyxusl] C:\WINDOWS\SYSTEM\fprqyd.exe
O4 - HKLM\..\Run: [38RTWGS3AH8264] C:\WINDOWS\SYSTEM\Unpv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [AutoLoadero8vz1IJkPIZL] "C:\WINDOWS\SYSTEM\NWLSVINN.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [on4P36U] NWLSVINN.EXE
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [ZCvFRWYmU] BPC9JNP.EXE


This items in blue can be fixed if you choose, they are unnecessary programs running at start and/or that hog resources: Having hijack fix it does not remove the program, just their start up command.
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Launches common MS Office components to run aimlessly in the background.


Note: To avoid the risk of any files not being found due to some files being hidden, see Showing hidden files if needed.

Restart in Safe mode and find and delete the following files/folders if they still exist:
C:\WINDOWS\TEMP\ YKGPPRX9H.EXE <--delete only this file
C:\WINDOWS\SYSTEM\ fprqyd.exe <--delete only this file
C:\WINDOWS\SYSTEM\ Unpv.exe <--delete only this file
C:\WINDOWS\SYSTEM\ DP-HIM.EXE <--delete only this file
C:\WINDOWS\SYSTEM\ NWLSVINN.EXE <--delete only this file
BPC9JNP.EXE <--delete only this file

C:\PROGRA~1\ CLOCKS~1 <--delete only this folder
C:\PROGRAM FILES\ SEP <--delete only this folder

Restart your system and do an online virus scan and delete anything it finds:
http://housecall.tre.../start_corp.asp

or/and Panda active scan
or/and etrust antivirus web scanner

Repost here with a new log from hijack.

Edited by pfofit, 14 June 2004 - 11:05 PM.


#4 jrshine360

jrshine360

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 07:00 PM

Thank you so much for your help pfofit. I completed your previous instructions. Here is my new log file. Thanks again.



Logfile of HijackThis v1.97.7
Scan saved at 6:55:19 PM, on 6/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY SHARED FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.micro...x86/ielabel.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcaf...an/mgavinst.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcaf...ng/mcsmtshp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/p...r/v7/ticker.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...d/mcinstall.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...v9.5/ticker.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} (McAfee.com Component Download Manager Class) - http://download.mcaf...c/CDM/McCDM.cab
O16 - DPF: WG3Client - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3clnt.cab
O16 - DPF: WG3Swing - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3swing.cab
O16 - DPF: WG3Images - file://F:\DATA\WEST GROUP\DOWNLOAD\IE\wg3img.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8152.5841666667
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#5 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 15 June 2004 - 08:27 PM

Well done jrshine, Some clean up, and then some protection.

Reboot into safe mode once again and delete all files in the following folders
c:\temp <--delete all files in this folder
c:\windows\ temp <--delete all files in this folder
Then open an IE and select tools>internet options and delete all temporary internet files and tick offline content.
Reboot.

Below is my standard speech and I will add that you are in need of a visit to windows updates. Go there and install all critical updates. You may need a couple of trips. Go back again and again until there are no more critical updates. It's the way MS does the updates.
--------------------------------------------------------------------------------------------------------------
Please read through the recommended ideas and free software listed below that will help to keep your computer from being reinfected
  • Do not let any site install anything if you do not know what it is.

  • Ensure that an Antivirus is updated weekly and running. AVG antivirus from Grisoft is a very good FREE antivirus program if you do not have one already.

  • Make sure you have the latest critical updates from windows update.

  • SpywareBlaster will prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

  • IE-SPYAD puts over 4000 known 'bad' sites into your IE restricted zone so that they cannot install malware on your PC.

  • Google toolbar has a very good built in popup blocker with a nice search bar. To provide privacy, select disable advanced features when installing.

  • Check your system for latest virus definitions with an online virus scan
    Check your system for latest trojan definitions with an Online trojan scan

  • Spybot S&D 1.3 and/or Ad-aware 6 Free are excellent removal tools are are updated often.

  • And also see this link for additional security information.
    So how did I get infected in the first place?
pfofit

Edited by pfofit, 15 June 2004 - 08:28 PM.


#6 jrshine360

jrshine360

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 10:35 PM

Thanks so much for ALL of your help pfofit. I definitely learned a lot throughout these processes. Your time and energy exerted are greatly appreciated! Again, thankyou. Jrs




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button