69.42.87.221 and other problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by millervt, Apr 30, 2005.

  1. millervt

    millervt Private E-2

    I started out on my spyware removal quest after my one PC became infected with a browser hijak that originates from 69.41.87.221 (and sometimes 219). It is driving me crazy, because it takes twice as long to work on the net now. I did some preliinary google work, and it appears to be complicated (or it seems to me) involving interpreting a HIJACK THIS log, etc. So, following the instructions on this site, I did the comprehensive cleaning (safe mode, scans, removals, etc). Still no joy in removing this hijack (although it did find a number of others and removed them, so I feel good about that).

    I can post the hijack log if that would be helpful.

    The only other interesting results from the various scans are the following problems, which were reported by the symantec online scan (and not fixed by adaware, spybot, etc):

    1. weatherbug (they have a removal tool...which didn't remove it)
    2. virtual bouncer (c:\windows\bundleouter.exe)
    3. begin2search (c:\windows\system32\nsuc.dll)
    4. betterintent (c:\windows\system32\thin-94-5-x-x.exe)

    I could take a stab at removing these myself, by deleting files and such, but I worry they'd just come back that way).

    Anyway, any help is appreciated..I have 9 kids and desperately, among everything else I have to do, try to keep the pcs running at least reasonably well. Unfortunately, the teen age kids would see a button called "EVIL SPYWARE" and click on it, thinking it was a punk band from New Jersey. :)
     
    millervt, Apr 30, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Weatherbug should just be uninstall via Add/Remove programs
    Also look in ther for VBouncer or Virtual Bounce and uninstall it if found.


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 30, 2005
    #2
  3. millervt

    millervt Private E-2

    Thanks for the response!

    Weatherbug appears to be gone now...I had tried the uninstall and it seemed like it was still there, but maybe it disappeared on next boot. No sign of uninstall options for any of the other 3 spyware that remain.

    Attached a HJT log. I peeked through it, and for what it is worth, I don't currently run any symantec products (I used to, but switched to macafee for various reasons), so i assume we can delete references to them? I've done all the uninstalls, but from what I understand symantec products tend to hang around even after being uninstalled. I also don't use stamps.com any more.

    I also uninstalled microsoft java and installed sun.

    Any and all suggestions greatfully appreciated to get rid of that obnoxious browser hijacker.
     

    Attached Files:

    millervt, Apr 30, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's first try to get rid of the un-necessary Symantec service:

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down until you see either Symantec Network Drivers Service or SNDSrvc Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
    Symantec Network Drivers Service or if that does not work try SNDSrvc

    Now exit HijackThis.

    If you do not use Viewpoint Manager (junk from AOL) I suggest uninstalling it.
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsuC.dll
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/3_0_0_804/sdcregie.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
    O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - http://www.advancedsearchbar.com/searchbarsetup2.exe
    O20 - Winlogon Notify: tapicmd - C:\WINDOWS\
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\nsuC.dll
    C:\WINDOWS\system32\gah95on6.exe
    C:\Program Files\AWS\WeatherBug
    C:\Program Files\Common Files\Symantec Shared

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 1, 2005
    #4
  5. millervt

    millervt Private E-2

    Thanks! the browser hijak seems gone now. I managed everything successfully except deleting the symantec stuff, since it claimed it was a critical service or something, but frankly I don't care much about cleaning that up.

    Attached is a HJT log just in case, but I think we are clean now. I'll run a symantec check to confirm, since that found the most problems, hopefully i'm set.
     

    Attached Files:

    millervt, May 2, 2005
    #5
  6. millervt

    millervt Private E-2

    One quick, maybe unrelated question..IE, at about the same time, started having problems filling in an entire web page...in other words, some of the frames (?) would show the standard IE "this page cannot be displayed" message. The same sites in firefox would display the entire web page at the same time (so it doesn't appear to be a timing/web site issue, and its been fairly consistent). Is this related to any spyware issues, and even if not, any suggestions on how to fix this? Its usually a stupid banner that is missing (like the top part of the msnbc baseball scoreboard web page), but it does bother me that something that was working fine before doesn't work now.
     
    millervt, May 2, 2005
    #6
  7. millervt

    millervt Private E-2

    well, the symantec check still shows 5 problems:

    C:\WINDOWS\SYSTEM32\bln02nqv.exe is infected with Adware.SAHAgent
    C:\WINDOWS\SYSTEM32\BundleOuter.exe is infected with Adware.VirtualBouncer
    C:\WINDOWS\SYSTEM32\q17i9a4j.exe is infected with Adware.SAHAgent
    C:\WINDOWS\SYSTEM32\thin-94-5-x-x.exe is infected with Adware.BetterInternet
    C:\hjt\backups\backup-20050502-190617-455.dll is infected with Adware.Begin2search


    My system is a lot better, so I'm not too worried, and maybe i'll make one more attempt to get rid of these if people have suggestions, but otherwise its definitely a victory...

    (is it as simple as deleting the above files?)
     
    millervt, May 2, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your HJT log, the Symantec service is gone. That is what my fix should have done.

    You have another item in you HJT log to fix:

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
     
    chaslang, May 3, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Just delete the files. You may need to be in safe mode. Note that the last file ( C:\hjt\backups\backup-20050502-190617-455.dll ) is a HijackThis backup. It is not an infection it is just where the backup of things fixed with HJT are stored. It is safe to remove.
     
    chaslang, May 3, 2005
    #9
  10. millervt

    millervt Private E-2

    thanks again, did the last cleanup, and hope to stay spyware free as much as possible in the future.

    Its funny...you hear about spam all the time, and frankly, compared to the hassle and time of dealing with spyware, spam is nothing.
     
    millervt, May 6, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should post a follow up HJT log so we can make sure you are clean. Also you should perform the steps in the below thread to help keep you clean:

    How to Protect yourself from malware!
     
    chaslang, May 6, 2005
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds