Help !

hope this is the right thread - Apologise if it aint

Mate has this problem http://www.symantec.com/avcenter/venc/data/adware.dynamic.html

he`s followed all the instructions on how to remove it , but to no avail .. The Problems being

1:- he`s now got a new and unwanted search engine , going FRom MSN to Yougoo (gawd knows what that is )

2:- he cannot connect to his HomePage , he doesn`t think he`s lost all connectivity , because he`s under the impression that his WinMix is still running in the Background

3:- he also had an item placed on his DeskTop *Hot Kiss* he said he`s deleted that

any suggestion ... Pleeez
Thanx in advance - Rudders

 

Hi Rudders, welcome

Can you please download HijackThis and post a log here?

HijackThis

Open -> doubleclick hijackthis.exe -> scan -> save log as a .txt file and copypaste the complete contents here. We'll be glad to have a look.

You can save hijackthis.exe on a floppy disk and run it from your mate's PC.

Thanks!

Cheers,

 

you couldn`t post the Url for that could ya , Mate , coz i`m actually doing this for a mate

 

Hi Rudders,

Unzy gave you the URL.
Click on HijackThis in his post and you will see it downloads http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Regards,

Pieter

 

"Click on HijackThis in his post and you will see it downloads " yeah , i realised that but he`s in a totally different city to me, so i was thinking of passing the Url on - you gave it me now anyroad , so lets get this ball rolling next time i visit will be tonight , sometime

Ta - Rudders

 

Hi rudders,

Yea it was hyperlinked, sorry about that.

I thought it would be easier if you downloaded HijackThis and extract it on a floppy disk, so the hijackthis.exe is on it. Then take that floppy to your mate's PC and run HijackThis from a:/

Just in case your mate isn't able to dl HT or some spyware redirection doesnt allow you to the download URL. I'm probably too paranoid, but i talk from experience that I regret not taking my floppy with me when I clean a system somewhere

Keep us posted!

Cheers,

 

just incase you`d thought i`d forgotten about ya , thought i`d pop by and give you the latest in the end i had to e-mail him Hijac lol because his floppy disk wasn`t working at work , i`ve mailed it him anyhoo , whether or not he`s recieved it is another story , because , as i stated in my first post , he`s not 100% sure whether or not he`s connected .

Right then , thats you up to speed but while we`re waiting for him , lets fear the worse , shell we , and lets say he`s totally lost his Inter Net Connection , is there owt else he could try - which i could pass on to him tomorrow say .. do remember tho , this will only go into action if Plan A. fails Plan A. being me coming back on here with that Hijac thingy ma jig list

The Very Greatful - Rudders

 

here you go

Logfile of HijackThis v1.97.7
Scan saved at 23:58:09, on 04/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Reboot.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB

 

Hi Rudders,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

Reboot and delete:
C:\WINDOWS\NEM214.DLL

Regards,

Pieter

 

Cheers Matey will pass this info on

 

just had this back from him

running hijack this? ticking the little boxes and deleting the files.
I need to copy a copy of Isp.dll across

and then after restarting i need to delete
C:\Windows\NEM214.DLL
IS that right?

is he correct ?

The ever increasingly greatful - Rudders

 

Check the boxes before the lines I posted, make sure all other windows are closed before clicking Fix checked.

Then restart the computer and delete C:\Windows\NEM214.DLL

No additional action is required for the lsp.dll

Regards,

Pieter

 

just had this off him

Well what happens to ISp.dll then?

 

HijackThis will remove it from the winsock stack.

Note: now I see why the worries. It is not ISP.dll but lsp.dll
Not put their by your ISP but by spyware.

Regards,

Pieter

 

Cheers Pieter just a quicky this time ..he would like to know

.. what lsp.dll does?

 

Hi Rudders,

It hijacks the winsock and is part of this: http://www.doxdesk.com/parasite/ShopAtHomeSelect.html

Regards,

Pieter

 

Ta Muchly Pieter

i`ll let you know how he gets on - it`ll be sometime over the weekend

Rudders

 

weh`hay Pieter , tiz now sorted

Thanx for your time & effort mate , tiz truely Appreciated

a very happy Rudders and and even happier Friend of Rudders lol ta

 

Hi Rudders,

That's great news.

Glad we could help.

Regards,

Pieter