URGENT HELP NEEDED!! some spyware or virus or aggressive advertisement problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by hithere, Jul 5, 2004.

Page 1 of 2
  1. hithere

    hithere Staff Sergeant

    Problem:

    For the last few days, i encontered a frustrating problem whenever i surf the web. I'm surfing the web, when all of a sudden (when i click on any link) the webpage changes into a red colored background page that says:

    "WARNING : Spy Ware Found !!!
    search ...Spy+Software ... wait"

    or

    "WARNING : Spy Ware Found !!!
    search ...Spyware+Nuker ... wait"

    or

    "WARNING : Spy Ware Found !!!
    search ...Remove+Spyware ... wait"

    or other stuff like that. After a few seconds, that page disappears to be replaced by search results that provide links to various spyware and adware removers. The frustrating thing is that I never searched for spyware or adware removers in the first place and THE PAGE OPENS IN THE SAME WINDOW, NOT in a different window (which makes it different from pop-up ads). The most frustrating thing, however, is that I CAN'T HIT THE "BACK" BUTTON and go back to the web page I was visiting earlier. When I hit the "back" button, the page appears again.
    I don't know if it's a spyware problem, a virus or someone trying to advertise "aggressively"...

    What I've tried (but still won't work):
    - installed Spyware and Adware removers like Ad-Aware 6.0, SpywareBlaster and other stuff
    - Meddled around with stuff in the Internet Options
    - Put the frustrating page address in the "restricted sites" hoping that the page can no longer be viewed sinced it is restricted
    - deleted some files that, i thought, had to do with the problem

    HELP ME!!!!! Can anyone help me solve this problem? i'm gonna owe u one if u can! I'm no pro at computers... :-(

    Some stuff that may be helpful to know:
    - my PC is Windows XP
    - i've downloaded stuff from the internet
    - this problem usually occurs when I check my email.
    - the search results displayed are always from http://kitasearch.com/

    Pls Reply ASAP!
     
    hithere, Jul 5, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download HijaakThis from here: http://www.majorgeeks.com/download3155.html
    Then shutdown ALL applications (especially browsers and Win Explorer sessions). Now run HijaakThis (from its own directory do not put on your desktop or in a temporary folder which is susceptable to cleanups) save the log and then copy and paste it into you next message.

    By the way, what version of Ad-aware (version and build number) and what reference file version do you have?
     
    chaslang, Jul 5, 2004
    #2
  3. hithere

    hithere Staff Sergeant

    Thanks! that was quick! i downloaded hijackthis and here is the log:

    Logfile of HijackThis v1.98.0
    Scan saved at 12:36:54 PM, on 7/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    C:\WINDOWS\System32\prcube.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search200.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tripadvisor.com/NewsletterPopunder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\alfmbk09kiae7n.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: Bib Spam - {A53457B1-43E9-28F1-6ECC-54458C593835} - C:\PROGRA~1\MEOWDR~1\Hold Axis.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [Proxy book] C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [imghubvgkhfd] C:\WINDOWS\System32\prcube.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\msero.dll


    Well the Ad-Aware i downloaded is a free version. it says: Ad-Aware 6.0 Personal, Build 6.181. Does that answer your question? And i'm not sure what u mean by the reference file version...

    Thanks again!
     
    hithere, Jul 5, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Reference File version is listed right on the main screen under the title "Initialization Status". If you do not have 01R327 05.07.2004, you are not current.

    Remember I ask not to put HijaakThis in a temp folder. Look where you put it:
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
     
    chaslang, Jul 5, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm starting to look at you log. Do you need WildTangent? Do you play this online games stuff? Bad idea!! If you don't need it, go to add/remove programs and uninstall all there stuff (could be 3 or 4 items in there). After uninstalling all of them, reboot.

    You have other stuff I see needing cleaning too. I'm working on it.
     
    chaslang, Jul 5, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of bad stuff in here. Is your virus scanner up to date and have you run a full scan lately?

    Please run these on line scans and let them fix what they find:

    http://housecall.trendmicro.com/housecall/start_corp.asp <--- select Auto Clean
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Also download and run these:
    http://www.majorgeeks.com/download4063.html
    http://www.majorgeeks.com/download4188.html

    Also, download and run this:
    http://www.memorywatcher.com/uninst.exe

    After doing the above, reboot and then post a new HijaakThis log.
     
    chaslang, Jul 5, 2004
    #6
  7. hithere

    hithere Staff Sergeant

    The reference file version is 01R298 20.04.2004 so i guess it's not updated. I've removed all the WildTangent games because i never played them anyway. but i couldn't remove one that said "WildTangent Web Driver" (at add/remove programs), i don't know why. Then i rebooted.
    Then i ran the two online scans. In the first one they found 68 problems and I deleted all but 2. The 2 problems couldn't be deleted, it said that they were currently in use. the same goes with the second one: all but 2 were disinfected. i'll do the rest of the things u told me to do tomorrow coz it takes a lot of time...
     
    hithere, Jul 6, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to get your Ad-aware up to date. This is very important. Notice in your first message you said:
    "- installed Spyware and Adware removers like Ad-Aware 6.0,"

    Download, install, UPDATE, and run the latest Ad-aware. Get it here: http://www.majorgeeks.com/download506.html

    One of the first things we always say is "make sure you are up to date".

    What were the two problems that could not be fixed because they were running. You may need to run some scans again in safe mode and possibly shut some items down manually first.

    You should not wait when doing scans like this. You should do them all one after the other. Otherwise you risk possible re-infections if everything is not cleaned up.
     
    Last edited: Jul 6, 2004
    chaslang, Jul 6, 2004
    #8
  9. Kodo

    Kodo SNATCHSQUATCH

    doing the scans in safe mode may help in cleaning the 2 locked processes or you can set them to scan at boot.
     
    Kodo, Jul 6, 2004
    #9
  10. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Friend had this recently, where that made his whole background black except about 75% centered, which was that spyware ad. It was a pain to removeuntil I remembered to check the desktop properties. Everything else was removable via Ad-Aware and Hijack This. So check this just in case:

    Right click on your desktop and select properties
    Click Desktop tab, customize desktop button, then web tab

    My Current home page SHOULD be unchecked unless your using your home page as a background. Ugh.

    Check the box that says lock desktop items
     
    Major Attitude, Jul 6, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kodo, I think the scans that were mentioned are the TrendMicro and the PandaSoftware online scans. I don't think they run in safe mode. hithere did not get to the otherscans yet and still needs to update to a current Ad-aware before continuing.
     
    chaslang, Jul 6, 2004
    #11
  12. Kodo

    Kodo SNATCHSQUATCH

    though he was scanning with anti-spyware software..

    so let me rephrase.. You can scan with Ad-aware and or spybot in safe mode or at boot.
     
    Kodo, Jul 6, 2004
    #12
  13. hithere

    hithere Staff Sergeant

    Chaslang, I finished doing all the list of things u told me. I did that one after the other like u said. there were no viruses found according to the 2 online scans. I've also downloaded the latest version of ad-aware and here is the new hijackthis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 6:58:47 PM, on 7/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    C:\WINDOWS\System32\prcube.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\Owner\My Documents\Lu Mon\hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search200.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tripadvisor.com/NewsletterPopunder
    R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\alfmbk09kiae7n.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: Bib Spam - {A53457B1-43E9-28F1-6ECC-54458C593835} - C:\PROGRA~1\MEOWDR~1\Hold Axis.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [Proxy book] C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [imghubvgkhfd] C:\WINDOWS\System32\prcube.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\msero.dll

    Major attitude, the "my Current Homepage" was already unchecked and the "lock desktop items" was also already unchecked too. Thanks anyway! and Kodo, the two viruses (or whatever they were) are cleared now so no problem.. :)
     
    hithere, Jul 6, 2004
    #13
  14. hithere

    hithere Staff Sergeant

    I meant: the "My Current Homepage" was already unchecked and the "lock desktop items" was checked in my previous message...
     
    hithere, Jul 6, 2004
    #14
  15. hithere

    hithere Staff Sergeant

    Chaslang, I just realized that the new Ad-Aware i downloaded is the same as the one i had before (Reference Number : 01R298 20.04.2004).

    And I found more wildtangent files which i deleted. <|^_^|>

    And about the last one on the list that u told me to do (download and run: http://www.memorywatcher.com/uninst.exe), i forgot to tell u that i don't think it got installed. Half way while installing, the progress bar stopped moving and the window closed. I tried downloading/installing again and again but it still won't work.
     
    hithere, Jul 6, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must be having a problem downloading Ad-aware's updated reference lists. Download from MG's and then unzip the file into "c:\program

    files\Lavasoft\Ad-aware 6" overwriting the file. Then stop Ad-aware if running and restart it. Check reference list version now.

    How did WildTangent come back? Did you not get it completely uninstalled the first time?

    This link (http://www.memorywatcher.com/uninst.exe) downloads a file. Then when you double click on it to run, it does not do an install,

    it is trying to clean the peper trojan from your PC. Try it again but first bring up Task Manager (CTRL-ALT-DEL) and see if you can find

    anything like the below running. If so shut them down and then run the uninst.exe file:
    C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    C:\WINDOWS\System32\prcube.exe
    C:\WINDOWS\System32\sysstartup.exe
    If you see any WildTangent stuff, shut them down too!


    Here is a hole load of more things to fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search200.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tripadvisor.com/NewsletterPopunder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\alfmbk09kiae7n.dll
    O3 - Toolbar: Bib Spam - {A53457B1-43E9-28F1-6ECC-54458C593835} - C:\PROGRA~1\MEOWDR~1\Hold Axis.dll
    O4 - HKLM\..\Run: [Proxy book] C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [imghubvgkhfd] C:\WINDOWS\System32\prcube.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Global Startup: winlogin.exe

    Now reboot in safe mode:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    and delete the following (if they still exist):

    C:\WINDOWS\System32\alfmbk09kiae7n.dll <---- remove this file
    C:\PROGRA~1\ITCHWA~1 <---- remove this directory (which will get rid of "Heck Bows.exe")
    C:\Program Files\WildTangent <---- remove this directory
    C:\WINDOWS\System32\prcube.exe <---- remove this file
    C:\WINDOWS\System32\sysstartup.exe <---- remove this file
    C:\windows\winlogin.exe <---- remove this file (not sure where it is, you may have to look in
    ................................................ c:\windows\system32 or c:\windows\system, or c:\

    Now Start Microsoft Internet Explorer. In Internet Explorer, click Tools -> Internet Options.
    Click the Programs tab -> Reset Web Settings. Now set your home page to something useful like www.majorgeeks.com

    If you have gotten the update Ad-aware references installed, run a scan now in safe mode and clean what it finds.

    Reboot in normal mode. And lets see how things look. Post a new HijaakThis log.

    FYI Notes: winlogin - Process Information
    Description: Added to the system as a result of the RANDEX.E VIRUS! which is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC. It is also a worm that can use the DCOM RPC vulnerability to spread itself.
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes

    Also see W32.Randex.E at: http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html
     
    chaslang, Jul 7, 2004
    #16
  17. hithere

    hithere Staff Sergeant

    i got the latest Ad-aware thanks to u! Wild tangent is gone now.. for sure. I'm not sure if the memory watcher worked but i did like what u said.. I've fixed all the stuff u told me in HijackThis. But "O4 - Global Startup: winlogin.exe" couldn't be fixed (it said it was currently in use). So i tried to "end task" at Windows Task Manager but couldn't find the file. HERE'S MY QUESTION (the reason i'm riting this): I found "winlogon.exe", is that the same as "winlogin.exe"? the same goes when i used the safe mode: i couldn't find winlogin.exe but could find winlogon.exe...
    And at safe mode i also couldn't find:
    C:\WINDOWS\System32\alfmbk09kiae7n.dll and
    C:\WINDOWS\System32\sysstartup.exe
    Maybe they were already removed..

    should i delete winlogon.exe?
     
    hithere, Jul 7, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!!! winlogon.exe is part of your Windows OS. We need to try to find what name this process is using when running. See if you can find with Task Manager something like:
    nstask32.exe
     
    chaslang, Jul 8, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 8, 2004
    #19
  20. hithere

    hithere Staff Sergeant

    yes the hidden files and folders were displayed when i searched and no i couldn't find nstask32.exe. something similar is mmtask.exe but i have a feeling that's not it. there were none with "32.exe" at the end.
     
    hithere, Jul 8, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Go here and download Process Explorer: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

    Click on the link at the bottom that says:

    Download Process Explorer (x86 - 230 KB) - you plan on using Process Explorer on WinNT/2K/XP

    I would recommend making a directory like c:\sysinternals and putting it in there because they have a load of other useful items you may need some day too.

    Then shut all un-necessary applications down and run process explorer (you need to unzip it) into the directory. Then click File and Save As, this will allow you to save the process list to a default file name called Procexp.txt. Post that file into your next message.
     
    chaslang, Jul 8, 2004
    #21
  22. hithere

    hithere Staff Sergeant

    here's the stuff u asked. i got no idea how u read this stuff!

    Process PID CPU Description Company Name
    System Idle Process 0 71
    Interrupts n/a Hardware Interrupts
    DPCs n/a 2 Deferred Procedure Calls
    System 4
    smss.exe 372 Windows NT Session Manager Microsoft Corporation
    csrss.exe 604 3 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 628 Windows NT Logon Application Microsoft Corporation
    services.exe 672 Services and Controller app Microsoft Corporation
    svchost.exe 860 Generic Host Process for Win32 Services Microsoft Corporation
    msmsgs.exe 2276 Messenger Microsoft Corporation
    svchost.exe 944 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1068 Generic Host Process for Win32 Services Microsoft Corporation
    spoolsv.exe 1364 Spooler SubSystem App Microsoft Corporation
    ccEvtMgr.exe 1396 Event Manager Service Symantec Corporation
    alg.exe 1544 Application Layer Gateway Service Microsoft Corporation
    CTSVCCDA.EXE 1560 Creative Service for CDROM Access Creative Technology Ltd
    Navapsvc.exe 1592 Norton AntiVirus Auto-Protect Service Symantec Corporation
    omniServ.exe 1656
    wanmpsvc.exe 1804 Wan Miniport (ATW) Service America Online, Inc.
    MsPMSPSv.exe 1864 WMDM PMSP Service Microsoft Corporation
    lsass.exe 684 LSA Shell (Export Version) Microsoft Corporation
    OPXPApp.exe 1948
    explorer.exe 496 Windows Explorer Microsoft Corporation
    hpsysdrv.exe 1580 hpsysdrv Hewlett-Packard Company
    hkcmd.exe 1668 hkcmd Module Intel Corporation
    kbd.exe 1696 KBD EXE Hewlett-Packard Company
    realsched.exe 1712 RealNetworks Scheduler RealNetworks, Inc.
    rnathchk.exe 148 RealNetworks ATH Check App RealNetworks, Inc.
    ccApp.exe 1760 Common Client CC App Symantec Corporation
    mmtask.exe 2016 TODO: <File description> TODO: <Company name>
    hpztsb08.exe 164 HP
    MSBNTray.exe 2192 Microsoft Broadband Networking Tray Application Microsoft Corporation
    FINDFAST.EXE 2216
    OSA.EXE 2224
    SpamSubtract.exe 2232 SpamSubtract interMute, Inc.
    exec.exe 3884 ZCast NetZero
    procexp.exe 3332 25 Sysinternals Process Explorer Sysinternals

    Process: Procexp Pid: -2

    Type Name
     
    hithere, Jul 8, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot find anything bad in the process list. Please try rebooting in safe mode.
    Then run HijaakThis and try to fix the below line:
    O4 - Global Startup: winlogin.exe

    Then while in safe mode try to find that file. As I said before, not sure where it may be. Try:
    c:\winlogin.exe
    c:\windows\winlogin.exe
    c:\windows\system\winlogin.exe
    c:\windows\system32\winlogin.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

    If you find it, try to delete it. It it will not let you delete it, try renaming it to something like winlogin.bad.

    After that, reboot in normal mode and post a new HijaakThis log.
     
    Last edited: Jul 9, 2004
    chaslang, Jul 9, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 9, 2004
    #24
  25. hithere

    hithere Staff Sergeant

    two critical updates were needed: Cumulative Security Update for Outlook Express 6 Service Pack 1 (KB837009) and Update Rollup 1 for Microsoft Windows XP (KB826939). i've downloaded the updates
     
    hithere, Jul 9, 2004
    #25
  26. hithere

    hithere Staff Sergeant

    Well, i still can't find that darn winlogin.exe! I searched in safe mode like u said. I even tried searching in the Search companion or whatever u call it (i enabled searching in hidden files and system files too). Where is that file?! maybe it's not there? or is it in a different name? and another thing: when i tried to fix the "O4 - Global Startup: winlogin.exe" in HijackThis, an error message displayed. It said: "An unexpected error has occurred at procedure: cmdFix_Click() Error #75 – Path/File access error".

    But the problem of the "Spyware found" message always appearing has been solved anyway. Plus the problem of the homepage always changing has been solved too... Thanx to u!
     
    hithere, Jul 9, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Two 1.98 versions of HijaakThis came out. The second one was 1.98 Hofix but still reads as 1.98.0 in the log. Do you know what version you are using?

    The Hotfix version is 182k 7/2/2004 7:38 am.
     
    chaslang, Jul 9, 2004
    #27
  28. hithere

    hithere Staff Sergeant

    the version is 1.98.0.
     
    hithere, Jul 9, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Need you to look at the size, date, and time of the file. The version is the same for both.
     
    chaslang, Jul 9, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you get the error when trying to fix the O4 line in safe mode?

    Did it fix it anyway?
     
    chaslang, Jul 9, 2004
    #30
  31. hithere

    hithere Staff Sergeant

    No it did not fix and i get the error message in safe mode AND normal mode.

    do u mean i look at the size, date and time of the HijackThis file? where do i find that? in the properties? then it's 181KB. For the date and time, do u mean created/modified date (which is in properties)? then it's Friday, July 02, 2004, 7:38:50 AM.
     
    hithere, Jul 9, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like the correct HijaakThis version.

    Try clicking Start, Programs, Startup and see if you find winlogin there.

    If so, right click on it and select delete. Tell me what happens.
     
    chaslang, Jul 9, 2004
    #32
  33. hithere

    hithere Staff Sergeant

    nope, no winlogin. it's like searching for a needle in a haystack... well, almost.
     
    hithere, Jul 9, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Damn! How about this: click Start, Run, and in the Open box, enter regedit.

    Click on the top line (My Computer) then click Edit, Find, and enter winlogin (without the exe)
    then click Find next. If you find it, you have to note the registry path and send it to me. This path is in the bottom of the registry window.

    If you do find an entry, click F3 to find if there is another. And keep repeating noting the path each time. Do this unitl the whole registry is searched.
     
    chaslang, Jul 9, 2004
    #34
  35. hithere

    hithere Staff Sergeant

    2 registry paths found (Hooray!!):

    My Computer\HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

    My Computer\HKEY_USERS\S-1-5-21-3852877488-2966961371-3350961549-1003\Software\Microsoft\Search Assistant\ACMru\5603
     
    hithere, Jul 9, 2004
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's backup those registry keys and then delete them.

    To back them up, get your self back to that point in the registry were the full path is shown as above and then click Registry and select Export File. Enter a useful filename without an extension (it will auto add .reg) and save it somewhere that you can easily find it if needed.

    Then while you still have that key selected, right click on it and delete it. Hope this works.
    If it does not work in normal mode, retry in safe mode.

    Do the same for each key.

    How about names like:
    HKCU-SA (it will save as HKCU-SA.reg)
    HKU-SA (it will save as HKU-SA.reg)

    Then reboot after deleting and let's see if the HijaakThis line is gone and see how things are working.
     
    chaslang, Jul 9, 2004
    #36
  37. hithere

    hithere Staff Sergeant

    sorry for taking so long... i had some networks problems. Well, BAD NEWS: i can't get that winlogin out of the HijackThis log! It displayed the same error message. I tried in safe mode and normal mode. And one more thing: I didn't back up both of the "keys". i backed up one and deleted it and when i searched for the next (F3), it said the search was finished. So i started the search again (selecting My Computer) but there was none found again. How come? Anyway, what next??? Oh, and why did i find deleted stuff like WildTangent, bib spam, etc. there (at the Registry Editor)??


    Here is what the score might look like if this was a game:

    winlogin.exe: 10

    VS.

    hithere&chaslang: 0
     
    hithere, Jul 9, 2004
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can you post a new HijaakThis log.

    The reason you see stuff like WildTangent still around after uninstalling is that most programs do a lousy job of cleaning up after themselves. You can always go in and do manual clean up of items you know are off of your computer but you must be careful. You can break everything if you mess up your registry. It is good practive to backup the registry before playing with it. There are tools on MG's in the Registry directory for this.

    A couple more things to do:

    Please download and run CrapCleaner from http://www.majorgeeks.com/download4191.html
    On the Windows tab of CrapCleaner just leave the default settings and click the Run Cleaner button in the lower right corner.

    Now with Windows Explorer go to your c:\windows\Prefetch directory and tell me what you have in there.
     
    chaslang, Jul 9, 2004
    #38
  39. hithere

    hithere Staff Sergeant

    Crap Cleaner is kinda cool for a weird name.. anyway there are 129 items in c:\windows\Prefetch. what am i looking for? do have have to say everything there is in that directory? Well, here's the new log:

    Logfile of HijackThis v1.98.0
    Scan saved at 7:07:34 PM, on 7/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\My Documents\Lu Mon\hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [Proxy book] C:\PROGRA~1\ITCHWA~1\Heck Bows.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{441532A7-2F7B-47C5-846B-761FBCADDE15}: NameServer = 64.136.20.121 64.136.20.133
    O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\msero.dll
     
    hithere, Jul 9, 2004
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    An item I asked you to remove a long time ago is still there. We need to fix this:

    O4 - HKLM\..\Run: [Proxy book] C:\PROGRA~1\ITCHWA~1\Heck Bows.exe

    Now reboot in safe mode and delete the following:
    C:\PROGRA~1\ITCHWA~1 <---- remove this directory (which will get rid of "Heck Bows.exe")

    Did you have a problem trying to locate this? PROGRA~1 is short for PROGRAM FILES. I have no idea what the ITCHWA~1 is short for.

    Also remember the rules of using HijaakThis. Shut down all apps especially browsers!
    See these:
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    That's two browser sessions.
     
    chaslang, Jul 9, 2004
    #40
  41. hithere

    hithere Staff Sergeant

    there was another line similar to C:\PROGRA~1\ITCHWA~1 and i deleted that. i don't know why i failed to see this line. I always shut down all apps when i do the hijackthis scan. But i may have left this MG page open during my last scan (to paste the log in the reply). so i'll do what u said. c u in a couple of minutes...
     
    hithere, Jul 9, 2004
    #41
  42. hithere

    hithere Staff Sergeant

    yep i did. i also made it display the system files & folders.
     
    hithere, Jul 9, 2004
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks for jumping in anyway Abby!
     
    chaslang, Jul 9, 2004
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay Hithere, is that line with Heck Bows.exe fixed now? And make sure it no longer shows in a HijaakThis log!
     
    chaslang, Jul 9, 2004
    #44
  45. hithere

    hithere Staff Sergeant

    BAD NEWS (oh no!):
    Well, well, well.. it seems like there is a problem… I tried to fix the Heck Brows in HijackThis. It DOESN’T WORK. An error message just like when I tried to fix winlogin.exe appeared. so I tried fixing something else and it doesn’t work either. It turns out that NOTHING can be fixed. Something is wrong with HijackThis. And I’ve already removed Heck Brows in the Windows Explorer long time ago (I just remembered becos it’s not there now). But Heck Brows is still in HijackThis. Something is wrong… should I reinstall HijackThis?

    So, maybe the whole thing about not being able to fix the winlogin.exe problem is becoz of the corrupted HijackThis...
     
    hithere, Jul 9, 2004
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, download it from here: http://www.majorgeeks.com/download3155.html

    Unzip it and try running it. If you are going to put it where you had the previous version then delete the old copy first.
     
    chaslang, Jul 9, 2004
    #46
  47. hithere

    hithere Staff Sergeant

    well, heck brows is gone. but winlogin is still there (program currently in use it said).

    Log:
    Logfile of HijackThis v1.98.0
    Scan saved at 10:48:28 PM, on 7/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Owner\My Documents\Lu Mon\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\msero.dll

    Maybe winlogin is impossible to remove...
     
    hithere, Jul 9, 2004
    #47
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So then I take it that something was wrong with your copy of HijaakThis?
     
    chaslang, Jul 9, 2004
    #48
  49. hithere

    hithere Staff Sergeant

    U mean my previous HijackThis? Yep...
     
    hithere, Jul 9, 2004
    #49
  50. hithere

    hithere Staff Sergeant

    if winlogin can't be found, can it still affect the computer? is it still dangerous? i mean, it's some sort of virus or something, right?
     
    hithere, Jul 9, 2004
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds