popups at startup, and about:blank - please review log

I have followed the guide on getting rid if spyware without success. I tried posting what I did and waiting for someone to request the hjt logfile, but that has not happened. Hence, I am posting this in hopes that someone will look at it and tell me what is wrong.

Basically I keep getting an IE window that pops up when I boot the computer. I also see random popups that very briefly show about:blank in the title bar before they change.

A third item that may or may not be related. When I boot I get the following message now: C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application.

I appreciate any help.

 

Hi Halioris,

You have a few difficult issues in your log. You are also running HijackThis Improperly! You MUST move it to its own safe folder - C:\Program Files\HijackThis

Once you have done the above, please run the following tools:

a-squared (a²) Free edition

http://downloads.subratam.org/PeperFix.exe

Then, attach a fresh HJT log. I will try to check back when I get a chance.
You should know that there are only a few of us Spyware Forum regulars who try to respond to posts for help. We have lives, jobs, and families that occupy a lot of our time. So, if it feels like we are ignoring you, don't take it personally

Best,
PP

 

PP,
Thanks for the response. I ran downloaded and ran the two tools you suggested, moved HijackThis into c:\Program Files and ran it again. The loag file is attached. Appreciate your help.

 

Hi Halioris,

It looks like the Peper Trojan is still there. Please run PeperFix again. Also, try this http://www.memorywatcher.com/uninst.exe

Please look in Add or Remove Programs for any of the following and uninstall them if found:

WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

Also, use Windows Explorer to run a search of your computer for ClickSpring or PurityScan and let me know what you find.

Then, rescan with HijackThis and attach that log.

You have a number of iffy 016 log entries and one iffy BHO that I may leave alone. They seem to be NetZip related - I don't know if you'd like to keep them or flush them. Any thoughts?

Anyhoo, do the above, let me know what you find and send me a new log. . .and we'll deal with the rest of the baddies I'll check back when I can.

Best,
PP

 

PP,
Did not find any of the programs listed in Add/Remove. I believe I ran HijackThis last time before I removed the files found by PeperFix. In any event I ran it again and it detected no files. Ran HijackThis again and attached new log file.

I searched for ClickSpring and PurityScan as you suggested. Found no ClickSpring files. I did find PurityScan.zip, PurityScan1.zip, and PurityScan2.zip in the C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder.

As for the BHO's, what is the iffy one? I don't know about the ifi.dll, nzdd.dll, or the (no file) entry. I saw a recommendation to delete the nzdd.dll file at http://forums.maddoktor2.com/index.php?showtopic=1433. Should I do this? I'm open to suggestions here.

As for the 016's let's go through them. A general question is what happens if I remove them? I've not used HijackThis before. For example, I use a web version of PVCS Tracker over VPN for work. If I removed the entry from HijackThis would it still work, would it download again, or would it cause problems? If things would just be forced to be downloaded again I have no problem deleting them. Anyhow, here are my comments:

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/2434e03673a131cc4202/netzip/RdxIE.cab

don't know what netzip is???

O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-Net Client for MSIE) - http://kylousvrpa002/trackdoc/trkpm660ie.cab

used for PVCS Tracker web version

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

obviously a QuickTime thing

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16eb34640beac7779905/netzip/RdxIE2.cab

again, don't know what netzip is?

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

I have Norton Anti-Virus, guessing this is from them or the online scan?

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

must be from the recommended scan I did there

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

I believe this was another recommended online scan

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

Don't have a webcam anymore, not sure what this is?

O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab

Probably from Quicken or QuickBooks which I have

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll

???

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

PP,
Sorry, forgot the log file. Here it is.

 

Hi Halioris,

Sometimes it is hard to tell what items people want to keep, namely 016s in HJT. I should probably adopt a Flush it All attitude - People will keep or put back the stuff that they want.

Looks like SpybotSD was doing its job. You should probably delete any remnants of PurityScan.

Wasn't sure about this BHO - C:\WINNT\System32\nzdd.dll - I included it to be flushed.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them if found:
oeet.exe
r?ndll32.exe
Bwd0m.exe
Now scan with HijackThis and Check the Boxes for the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6AAE3722-C847-2F99-D503-64550DF37945} - C:\WINNT\system32\ifi.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll

O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Bwd0m.exe

O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\chalioris\Application Data\oeet.exe

O4 - HKCU\..\Run: [Dvb] C:\WINNT\system32\r?ndll32.exe

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/2434e03673a131cc4202/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16eb34640beac7779905/netzip/RdxIE2.cab

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll

Again, make sure All Browser Windows are Closed when you Click FIX

Now boot into Safe Mode and, DELETE the following if they remain:
C:\WINNT\system32\ifi.dll
C:\WINNT\system32\Bwd0m.exe
C:\WINNT\system32\r?ndll32.exe
C:\Documents and Settings\chalioris\Application Data\oeet.exe
C:\Program Files\Toolbar < - - - -The folder
C:\WINNT\System32\nzdd.dll

Reboot to Normal Windows and Scan with HijackThis and attach a fresh log. Let me know if you ran into nay problems with the above instructions.
Sorry about taking so long to get back to you.

Best luck
PP

 

PP,

Ended processes as suggested.
Ran HijackThis and checked those options you listed that were there. Note that the Bwd0m.exe was not in the scan.
Then rebooted to safe mode to remove files. Removed those that were there. Note that ifi.dll, Bwd0m.exe, and r?ndll32.exe were not there, and the C:\Program Files\Toolbar folder was not there. I have since rebooted and scanned again and attached the log.

I'm off to work so I can't tell whether the popups are gone or not. Only tried moving around the web a little and got a popup when going to cnn.com (not sure if that is driven by CNN or not). I'll post back tonight when I get home and use the internet to see how we're doing. Thanks for all the help so far, and let's hope this is the end of it.

 

Hi Halioris,

I do not see anything particularly nasty in your log, though I always wonder what might tag along with Party Poker (Maybe nothing . . . Who knows?)

Let me know how things are running when you have more time to put your machine through its paces.

PP

 

PP,
What do you know about 180 Search Assistant? I know it was supposed to be removed with some of the spyware programs I ran. In Add/Remove I see an entry titled "Uninstall 180searchAssistant". I'm wondering if that is the bad program and I should remove that, or is a program to Uninstall 180 that was put on by one of the spyware programs? I searched the registry and found a 180ax key in HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->Current Version->Uninstall. Is all this ok?

So far I've gotten a few popups here and there, but not nearly the frequency with which I was getting them. I also removed PartyPoker just in case...

 

Hi Halioris,

I would go ahead and Uninstall 180 Search Assistant (if there is anything left of it to uninstall) - I didn't see any trace of it in your last log. Of course, I could have missed something You might want to Internet Update Ad-aware and Spybot and run them again. It couldn't hurt.

Please do a fresh scan with HijackThis and attach that log and let's see if anything pops out at us!

Best
PP