CWS, Adaware and HJT Resistant problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shredded, May 14, 2004.

  1. shredded

    shredded Private E-2

    Situation:
    For at least two weeks Ive been getting the same pop-ups ( internet ads warning me about spyware. One is grey, one is yellow, one is white, among other things) Also my whole system has been running slow. Last, "Viewpoint Media Player" has been popping up with a "recomended update" ( A program Ive never even heard of) Lastly In my start menu, there are gold star and green play buttons for such things as penis enlargers and porn and pop up killers.

    Actions thus far: Ran CWS shredder over 10 times: depending on how much surfing ive done, CWS.Search will come up along with others
    Ran Hijack this over 10 times, deleted soem obvious bad stuff, but I dont have the knowledge to pick out anything else.
    Ran Adaware over 10 times and CWS plus alot of dataminers keep reoccurring.
    Deleted my TIF's and cookies numerous times.

    Here is my HJT LOG
    Logfile of HijackThis v1.97.7
    Scan saved at 12:10:12 PM, on 5/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\StreamCast\Morpheus\morphexe.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpyBlast] "C:\Documents and Settings\Owner\My Documents\download\themaniels\SpyBlast.exe" /autorun
    O4 - HKCU\..\Run: [Morpheus] "C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37937.6005208333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx


    Any suggestions to the sequence/method in ridding myself of these problems?
    Thanks
     
    shredded, May 14, 2004
    #1
  2. shredded

    shredded Private E-2

    shredded, May 14, 2004
    #2
  3. Kodo

    Kodo SNATCHSQUATCH

    I'm going to ask the obvious so don't shoot me. Did you update the Ad-Aware reference file.

    have you tried SpyBot?
     
    Kodo, May 14, 2004
    #3
  4. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    General_Lee_Stoned, May 14, 2004
    #4
  5. Kodo

    Kodo SNATCHSQUATCH

    to get rid of the sysupd file, you have to boot to safe mode and delete it.

    GLS, didn't read those links, so if my info above is in them , sorry. ;)
     
    Kodo, May 14, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your should uninstall the Viewpoint Manager. See http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml

    Delete these with HiJaak This:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    I believe the Workflow.exe program is also spyware related to Broadjump. I would remove it too unless you put there for some reason.

    O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe

    Open task manager and kill the sysupd.exe process. Then using Hijaak This delete the next line.
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

    You will need to boot in safe mode and delete the c:\windows\sysupd.exe file.

    Hopeully the next line will already be gone after uninstalling the software. If not delete it with HiJaak This:

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    This needs to be cleaned up:
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    See this link: http://www.pestpatrol.com/PestInfo/w/web_p2p_installer.asp

    Edit: Kodo and General, I was still editing while you guys were submitting! :D
     
    chaslang, May 14, 2004
    #6
  7. Kodo

    Kodo SNATCHSQUATCH

    type faster soldier!! :p
     
    Kodo, May 14, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not fair!!! I had more to type! ;)
     
    chaslang, May 14, 2004
    #8
  9. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Agreed
    Good work Chas, i was a little busy so just pointed out the one i spotted ;)
     
    General_Lee_Stoned, May 15, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds