Multiple spy/adware problem... HighjackThis log provided

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mattkallman, Jun 21, 2004.

  1. mattkallman

    mattkallman Private E-2

    My friends came over last night and used my computer, and this morning I woke up to at least three spyware programs. I ran Ad-aware, CWShredder, Spybot, and Spyware Blaster to no avail. I deleted two programs I found running in the background: Apinn.exe and Mfcjg32.exe, also to no avail.

    The problems:
    (1) Internet Explorer opens to res://pvanw.dll/index.html#96676 at every startup;

    (2) if I type a URL into the address bar in Internet Explorer without the www before it (e.g. google.com instead of www.google.com), an obviously fake page at res://pvanw.dll/url_error.html#google.com entitled "Windows Help Center" appears;

    (3) any search I run in Google or Yahoo or any other engine leads to a pop-up at http://search-to-find.com/sec.php?qq=spyware+help&pin=96676;

    and (4) once every 10 minutes or so an ad called "Only The Best" will appear--I know this has been discussed before on other threads but it was way above my capabilities.

    The HighjackThis logs have seemed to work for other people with similar problems, so here's mine:

    Logfile of HijackThis v1.97.7

    Scan saved at 2:11:21 PM, on 6/21/04

    Platform: Windows 98 Gold (Win9x 4.10.1998)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

    C:\WINDOWS\SYSTEM\IEPG32.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

    C:\WINDOWS\GWHOTKEY.EXE

    C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE

    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

    C:\WINDOWS\SYSTEM\DDHELP.EXE

    C:\WINDOWS\SYSTEM\ADDCT32.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvanw.dll/sp.html#96676

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pvanw.dll/index.html#96676

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pvanw.dll/index.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvanw.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pvanw.dll/index.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pvanw.dll/sp.html#96676

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

    O2 - BHO: (no name) - {F0457CDE-D7E9-6516-DB27-A1B12317061C} - C:\WINDOWS\NETME.DLL

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

    O4 - HKLM\..\Run: [EM_EXEC] C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE

    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    O4 - HKLM\..\Run: [APINN.EXE] C:\WINDOWS\SYSTEM\APINN.EXE

    O4 - HKLM\..\Run: [ADDCT32.EXE] C:\WINDOWS\SYSTEM\ADDCT32.EXE

    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [CRWC32.EXE] C:\WINDOWS\SYSTEM\CRWC32.EXE

    O4 - HKLM\..\RunServices: [ATLNG.EXE] C:\WINDOWS\SYSTEM\ATLNG.EXE

    O4 - HKLM\..\RunServices: [SDKBU32.EXE] C:\WINDOWS\SYSTEM\SDKBU32.EXE

    O4 - HKLM\..\RunServices: [ATLWR32.EXE] C:\WINDOWS\ATLWR32.EXE

    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    O4 - HKLM\..\RunServices: [IEPG32.EXE] C:\WINDOWS\SYSTEM\IEPG32.EXE

    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl

    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe

    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm

    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm

    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm

    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm

    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm

    O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

    O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

    O9 - Extra button: Encarta Encyclopedia (HKLM)

    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)

    O9 - Extra button: Define (HKLM)

    O9 - Extra 'Tools' menuitem: Define (HKLM)

    O9 - Extra button: Researcher (HKLM)

    O9 - Extra button: AIM (HKLM)

    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

    O9 - Extra button: Share in Hello (HKLM)

    O9 - Extra 'Tools' menuitem: Share in H&ello (HKLM)

    O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll

    O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll

    O16 - DPF: {591A09D0-6299-11D2-845B-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\WINDOWS\Web\Wallpaper\GWNet.CAB

    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.bdiamond.com/products/surround/downloads/svideo.cab

    O16 - DPF: {873237C3-C440-11CF-B4B6-00A02429C7EF} (MbedControl Object) - http://www.mbed.com/control/MbedCtrl.cab

    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab

    O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/marquee.cab

    O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/ietimer.cab

    O16 - DPF: {848D4F25-0248-11D2-AD4F-60006E940457} (PimIEImport Class) - http://www41.briefcase.com/static/activex/pimcontrol.cab

    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.expedia.com/daily/download/MSSurVid.cab

    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.microsoft.com/controls/mcsi/mcsimenu.cab

    O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://clinicdownload.mcafee.com/molbin/Shared/ComCtl32.cab

    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

    O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} (MaxisPublishX Control) - http://thesims.ea.com/us/teleport/MaxisPublishX.cab

    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab

    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab

    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/contact/serial/gwCID.CAB

    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.103/1074fae51e397963c422/netzip/RdxIE.cab

    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab

    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38058.8463078704

    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/061daa9d6cfb61032d00/netzip/RdxIE601.cab

    O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap.com/downloads/cpuid.cab

    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab

    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab

    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab

    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab

    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab

    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab

    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab

    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



    I would obviously appreciate any help anyone could give me.

    Thanks!
     
    mattkallman, Jun 21, 2004
    #1
  2. TJSmoov

    TJSmoov Private E-2

    Yea, I am having the same problem. I tried Ad-Aware, Spybot S&D and neither stopped the problem. They both found a bunch of problem .dll's and .exe's but after erasing them, the problems come back with new names. I have looked around and found nothing that could specifically help me. I have tried changing the registry but everytime the problems just keep coming back. Any help would be really appreciated. I've been working on this for a few days now.
     
    TJSmoov, Jun 28, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Read before posting please, this is covered in 100 other threads. First bet, system restore.
     
    Major Attitude, Jun 28, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds