teeenzzzzz

[AlasKen]

I am trying to clean an XP machine that was loaded with Add and Spyware as well as some viruses. I have loaded and updat4ed and ran AdAware, Spybot S&D, Spyware blaster, CWSearch, as well as updated Nortan antivirus. Cleaned about a thousand addware/spyware crap found as well as a dozen viruses. I keep have a shortcut load on desktop as well as application that is called teeenzzzz and points to the following url "C:\Program Files\WebSiteViewer\123758.exe" /ac:123758 /sk: /lc: /ul . I have deleted this exe but it keeps returning. I also get a dialing dialogue box with the following: WebSiteViewer, dialing failed (error #680) retry. Of course I select no. Any ideas where to get rid of this install program?

I am not to technical but trying to clean up my sons machine. He had a bit of porn popups when we started. Completely unable to use the machine at all, just site after site spawning uncontrolably. I am down to this last exe, I hope.

Thanks in advance.

[AlasKen]

Thanks for the responses. I will look into HighJack this as well as the info provided by xflat. Where do I find the system restore in order to turn it off?


Thanks again..AlasKen

[Astroman]

In XP, to turn off System Restore, goto
Right click My Computer>properties>one of the Tabs there will have A place to turn off System Restore, it might say System Restore, but I can't remember because i am still on Windows ME, then click ok and follow the rest of the directions given, Good Luck.

[AlasKen]

Thanks for the quick response. The help here has been great. AlasKen

[pegg]

Quote:

Originally Posted by AlasKen

Thanks for the responses. I will look into HighJack this as well as the info provided by xflat. Where do I find the system restore in order to turn it off?

I see that you're viewing this thread -- did you get system restore off and then run any of the tools suggested?

[chaslang]

Quote:

Originally Posted by Astroman

In XP, to turn off System Restore, goto
Right click My Computer>properties>one of the Tabs there will have A place to turn off System Restore, it might say System Restore, but I can't remember because i am still on Windows ME, then click ok and follow the rest of the directions given, Good Luck.

Astroman and AlasKen,

For your future reference here is a link right here on MG's with info on how to disable or enable system restore for WinXp and WinME: http://www.majorgeeks.com/vb/showthread.php?t=31668

[AlasKen]

I was reviewing at work, I am back at home and attempted to do what was suggested. I shut off System restore as you suggested. It worked as advertised. I ran AdAware and deleted 10 items related to WebSiteViewer and the Teeenzzzzz icon shortcuts. I then ran Spybot S&D. It found nothing. I then ran msconfig and didn not see anything that jumped out at me. For S&G's I disabled msmsgs. The ones I was not sure of were SK2000DM, MS32, WksSb, WkDetect, WkFud. I believe the Wk stuff is MS Works. I also set AdAware to scan on restart. On the restart the AdAware scan found nothing. System booted up and the the dreaded "please wait while we prepare plugin" The Icons returned and I then get a error message "WebSiteViewer dialing failed (error#680) Retry,cancel" everything is back on again.

The one thing I was fixing to go look for is a "good reg cleaner" as recommended by xflat.

I am open to continuing ideas. This is starting to pi$$ me off.

[chaslang]

Three things:

1) have you checked Add/Remove programs to see if there is anything in there you do not recognize.

2) boot your PC in safe mode and run Ad-aware & SpyBot S&D (make sure you check for updates first). If you don't know how to boot in safe mode go here a check for your OS: http://service1.symantec.com/SUPPORT...rc=sec_doc_nam


3) Try posting a HijaakThis Log as Robo mentioned in his first post. Maybe we can see something in there.

[AlasKen]

I think I did everything listed below. Went into safe mode and ran CW Shreeder, spybots S&D, and AdAware for each user. It still loaded a plugin when i came out of safe mode. It then trys and dial out and charge my phone line for a 30 day subscription to something. I hate to be a bother but I am out of ideas. I ran a scan with Hijack This and show it below. Any ideas are appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 11:23:43 PM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\ms32.exe
C:\WINNT\System32\Sktempdm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\WebSiteViewer\123758.dlr
C:\Documents and Settings\Kenneth Dodson.JUSTIN\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1503
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1503
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
O1 - Hosts: 209.66.115.34 pichunter.com
O1 - Hosts: 209.66.115.34 pussyslot.com
O1 - Hosts: 209.66.115.34 www.pichunter.com
O1 - Hosts: 209.66.115.34 www.pussyslot.com
O1 - Hosts: 209.66.115.34 www.pinkworld.com
O1 - Hosts: 209.66.115.34 pinkworld.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINNT\udpmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {81564AF1-D040-4A70-80E5-003B340CA350} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714E26D-C64F-4B06-B9B0-53F394148737} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...130.8866550926
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[AlasKen]

I can tell by reading the log file that some entries should come off. Any suggestions on how to do it are welcome. Thanks in advance. AlasKen

[alanc]

In your first post you mentioned 'CWSearch' - I'm assuming you mean CWShredder. If your version is earlier than 1.59 download it again and run it
http://www.majorgeeks.com/download4086.html

Kill these processes in Task Manager (if allowed to):
ms32.exe
Sktempdm.exe
123758.dlr

In HijackThis put a check by these lines and click 'Fix checked'
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1503
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1503
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
O1 - Hosts: 209.66.115.34 pichunter.com
O1 - Hosts: 209.66.115.34 pussyslot.com
O1 - Hosts: 209.66.115.34 www.pichunter.com
O1 - Hosts: 209.66.115.34 www.pussyslot.com
O1 - Hosts: 209.66.115.34 www.pinkworld.com
O1 - Hosts: 209.66.115.34 pinkworld.com
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINNT\udpmod.dll
O2 - BHO: (no name) - {81564AF1-D040-4A70-80E5-003B340CA350} - (no file)
O2 - BHO: (no name) - {D714E26D-C64F-4B06-B9B0-53F394148737} - (no file)
O4 - HKLM\..\Run: [System Backup] ms32.exe
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

Then reboot to Safe Mode and delete these files:
C:\WINNT\System32\ms32.exe
C:\WINNT\System32\Sktempdm.exe
C:\WINNT\udpmod.dll
and this directory:
C:\Program Files\WebSiteViewer

And it wouldn't hurt to run an online virus scan:
http://housecall.trendmicro.com

[AlasKen]

Thanks for the update. I meant CWShredder. It was a recent download in the last week or so. I searched for updates last night.

Is there any issues with the three plugin 012 lines?
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
The only reason I ask is that I get the issue with the dialogue box that it is preparing a plugin.

I appreciate all your help here. I will run take care of these suggestions tonight after I get home.

This site is the best. Thanks to all.

AlasKen

[chaslang]

I believe NPDocBox.dll is an Adobe Reader plugin for and it is okay to have. I'm not sure what NPRVRT32.dll is (may be for Adobe too). Try right clicking on it from Windows Explorer and looking at properties and Version info. You can probably tell who it belongs to.

[AlasKen]

I want to thank everyone for their help. There is no way I could of figured this out on my own. I believe that I have gotten rid of this problem. After fixing the issues mentioned from the Hijack This log and running Micro Trends Housecall AV I seem to be clean.

I was surprised to find that Housecall found 11 trojans that my updated Nortan AV did not. At least 6 of these trojans were porndialer variants with the same singature as the process that was running.

I hope you don't mind but I am posting a copy of my Hijack this log to see if you see anything that I have overlooked. Again my thanks.

AlasKen

Logfile of HijackThis v1.97.7
Scan saved at 7:59:59 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\Sktempdm.exe
C:\WINNT\System32\SK9910DM.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Kenneth Dodson.JUSTIN\My Documents\My downloads\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...130.8866550926
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[alanc]

Looks much better, except this is still there:
C:\WINNT\System32\Sktempdm.exe

Were you unable to delete that or did you delete it and it came back?

[alanc]

Quote:

Originally Posted by AlasKen

I was surprised to find that Housecall found 11 trojans that my updated Nortan AV did not. At least 6 of these trojans were porndialer variants with the same singature as the process that was running.

BTW, it's common for a good AV scanner to pick up nasties Norton has missed. That's why we like Avast

[AlasKen]

I deleted and it looks like it is back. I'll try again. Thanks for the heads up about AVAST. I just wish I knew about MG and AVAST about a week ago when I started this endeavor. I just renewed. Any problem running AVAST and Norton, or should I uninstall Norton. Thanks a lot. AlasKen

[AlasKen]

Quote:

Originally Posted by AlasKen

I deleted and it looks like it is back. I'll try again. Thanks for the heads up about AVAST. I just wish I knew about MG and AVAST about a week ago when I started this endeavor. I just renewed. Any problem running AVAST and Norton, or should I uninstall Norton. Thanks a lot. AlasKen

I guess I should have said I ended the task and it came back.

[alanc]

It's not a good idea to have 2 AVs running at the same time...

Right-click on Sktempdm.exe and click Properties > Version, any info there?

[AlasKen]

Quote:

Originally Posted by alanc

It's not a good idea to have 2 AVs running at the same time...

Right-click on Sktempdm.exe and click Properties > Version, any info there?

alanc,

Description: New Device Check Program
Comments: For Windows 2000
Company: Silitek Corp
Internal Name: Sk2000DM.exe

I also have SK2000DM and SK 9910DM. SK2000DM has the same information as Sktempdm. SK9910DM is also from Silitek but it's description is daemon.

Thanks very much, AlasKen