• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Duckbill

clear ads with just HijackThis?

6 posts in this topic

I'm working on a friend's computer who recently stumbled into a rather nasty browser hijack. Internet Explorer starts incredibly slowly, then when it finally loads shows a bunch of ads (popup blocker goes crazy) and shuts itself down. These only run when IE is started (or you try to go to another page) so I'm pretty sure it's hijack related. I am unable to even download spybot or adaware to the computer because of this and neither fit on a floppy. I could put them on a CD, but that is somewhat of a last resort. I have the feeling that a lot would be solved if I could get rid of a few of the hijacks. Then I could at least get online long enough to download spybot and adaware and thus solve the problem. Any help would be appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 1:34:42 PM, on 6/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Bargain Buddy\bin2\bargains.exe

C:\PROGRA~1\Save\Save.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\QuickTime\qttask.exe

C:\documents and settings\rickey\local settings\temp\xVuiGwf8.exe

C:\Program Files\Lycos\IEagent\Loader.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\dxmstr10.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Common Files\Dpi\dpi.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\WINDOWS\dhbrwsr.exe

C:\Program Files\VVSN\VVSN.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\WINDOWS\winppr32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\SysAI\SysAI.exe

C:\Program Files\Internet Optimizer\actalert.exe

C:\Program Files\Lycos\IEagent\csAOLldr.exe

C:\WINDOWS\System32\HqpY.exe

C:\WINDOWS\System32\Xej7ALq.exe

C:\WINDOWS\dhsvr.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\windows\msbb.exe

C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll

O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll

O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif

O2 - BHO: (no name) - {22941A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v1\scbar.dll

O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - (no file)

O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll

O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - (no file)

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe

O4 - HKLM\..\Run: [LEPRO32O] C:\WINDOWS\System32\LEPRO32O.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NETPPUII] C:\WINDOWS\System32\NETPPUII.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [xVuiGwf8] C:\documents and settings\rickey\local settings\temp\xVuiGwf8.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Voqw.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [wFEk3nR] dxmstr10.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe

O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [bilcj] C:\WINDOWS\bilcj.exe

O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKLM\..\Run: [pap] C:\WINDOWS\pap.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Lisa\LOCALS~1\Temp\djtopr1150.exe"

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra 'Tools' menuitem: IMI (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...105/stoppop.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth...etwasherpro.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://wwb.ieplugin.com/adcampaigns/webplugin.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7866.5653703704

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/12...erOuter1203.EXE

O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab

Share this post


Link to post
Share on other sites

Hoo boy! You have a seriously compromised computer there! It will take more that Spybot and AdAware to finally clean up. There are at least two virus files there.

Let's try and get it to stay on line long enough to run an antivirus scan.

 

First, please download CWShredder

This was written to deal with Coolweb and all its variants.

 

Download and run the program. Let it fix everything it finds, and reboot.

 

From Add/Remove Programs, uninstall Apropos client, and WinTools if listed..

 

You have the Peper trojan, which requires special treatment to put it out of your misery!

Please download and run this uninstaller.

 

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

 

That should take care of some of it. Some of the entries below will be removed by CWShredder, but check everything thats left.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll

O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll

O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif

O2 - BHO: (no name) - {22941A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v1\scbar.dll

O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - (no file)

O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll

O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - (no file)

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll

 

 

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

 

O4 - HKLM\..\Run: [bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe

O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe

O4 - HKLM\..\Run: [LEPRO32O] C:\WINDOWS\System32\LEPRO32O.exe

O4 - HKLM\..\Run: [NETPPUII] C:\WINDOWS\System32\NETPPUII.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [xVuiGwf8] C:\documents and settings\rickey\local settings\temp\xVuiGwf8.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Voqw.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [wFEk3nR] dxmstr10.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe

O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe

O4 - HKLM\..\Run: [bilcj] C:\WINDOWS\bilcj.exe

O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKLM\..\Run: [pap] C:\WINDOWS\pap.exe

O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc

 

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Lisa\LOCALS~1\Temp\djtopr1150.exe"

 

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Sidesearch (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra 'Tools' menuitem: IMI (HKLM)

 

O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...105/stoppop.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://wwb.ieplugin.com/adcampaigns/webplugin.cab

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab

O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab

Reboot, and delete

 

files

 

C:\WINDOWS\susp.exe

C:\WINDOWS\System32\LEPRO32O.exe

C:\WINDOWS\System32\NETPPUII.exe

C:\WINDOWS\wupdt.exe

C:\documents and settings\rickey\local settings\temp\xVuiGwf8.exe

C:\WINDOWS\System32\Voqw.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\stlbdist.DLL

dxmstr10.exe

C:\WINDOWS\System32\bridge.dll

C:\WINDOWS\DHUpdt.exe

C:\WINDOWS\dhbrwsr.exe

c:\windows\msbb.exe

C:\WINDOWS\bilcj.exe

C:\WINDOWS\pap.exe

C:\WINDOWS\winppr32.exe

C:\WINDOWS\System32\msgked.exe

C:\DOCUME~1\Lisa\LOCALS~1\Temp\djtopr1150.exe

 

folders

C:\Program Files\LimeShop

C:\Program Files\Bargain Buddy

C:\PROGRA~1\Save

C:\Program Files\Lycos

c:\installer

C:\Program Files\AutoUpdate

C:\WINDOWS\system32\pcs

C:\Program Files\Common Files\Dpi

C:\Program Files\Common files\updmgr

C:\Program Files\Internet Optimizer

C:\Program Files\VVSN

C:\Program Files\Common files\WinTools

C:\Program Files\Web_Rebates

 

These may be hidden files. See HERE for how to show hidden files.

 

When you have done all that, if you can get on line, and stay there, get an on line scan at either Housecall or Panda A/V, and let it fix everything it finds.

Then scan with Spybot, ensuring that is is updated, and AdAware.

 

Then post a fresh Hijack this log, as there will almost certainly be something left to remove.

 

Good luck!

Share this post


Link to post
Share on other sites

Ah, much better. Did all that, got online, scanned for viruses, downloaded spybot and adaware, removed a bunch more stuff. However, some problems still remain:

 

I was unable to clean Trj/Downloader.L and Trj/Downloader.GK.

I was unable to delete the Web_Rebates folder or programs, and everytime I would close one of them (there were two programs) it would simply start back up.

HuntBar was continuously unable to be cleaned by Spybot.

Traces of the 180SearchAgent still remain somewhere.

 

Other than that, things seem to be working much better. Here is the new HijackThis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:59:13 PM, on 6/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\oxalzi.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\WINDOWS\pap.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\spybotsd\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\XkvA.exe

O4 - HKLM\..\Run: [deoaofsi] C:\WINDOWS\System32\oxalzi.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [pap] C:\WINDOWS\pap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7866.5653703704

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

Thank you so much for all the help.

Share this post


Link to post
Share on other sites

The O4 entry that indicates the Peper trojan is still there. Just to be on the safe side, please run the uninstaller again.

 

Next, open task manager (CTRL - ALT - DEL), and end task on the WebRebates entries.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

 

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\XkvA.exe

O4 - HKLM\..\Run: [deoaofsi] C:\WINDOWS\System32\oxalzi.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [pap] C:\WINDOWS\pap.exe

 

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

Reboot, and delete

 

files

C:\WINDOWS\System32\SearchBar.htm

C:\WINDOWS\System32\XkvA.exe

C:\WINDOWS\System32\oxalzi.exe

C:\WINDOWS\pap.exe

 

folder

C:\Program Files\Web_Rebates

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Tried the ctrl alt del method... they come back too soon to get either of them to stop running. I think since there are two, anytime one of them closes the other starts it back up. This is just my guess. Any other theories? Perhaps by deleting it in HijackThis I'll be able to take care of it. Who knows. I'll give it a shot and let you know how it goes.

Edited by Duckbill

Share this post


Link to post
Share on other sites

Ok, the WebRebatescan be difficult. Try rebooting into safe mode, fixing the entries in Hijack this, and then WITHOUT rebooting, delete the files/folder.

 

Then post a fresh Hijack this log please

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0