More "Second Thought" Trouble

Discussion in 'adware, spyware & hijack cleaning' started by infuryum, May 16, 2004.

Thread Status:
Not open for further replies.
  1. infuryum

    infuryum Registered Member

    May 16, 2004
    Keller, TX
    I've searched and I've followed everything which was said in this thread by Pieter and in this thread which shows very detailed instructions by Derek (dvk01). I've followed everything to the letter and I still get the "Second Thought" popup when I try to run Windows Media Player.

    The only difference is that I can't update WinMP because this is on my work computer and I'm not an administrator. Even though all the proper files and folders were deleted and Spybot and Ad-Aware were run, it still won't load the program and it re-installs the "installer" and "temporary" folders containing the "id53.exe" and "stcterms.html" files.

    Here's the kicker: Four files and registry keys will NOT be fixed by Spybot, even when started in Safe Mode. They are the "Alexa Related" file, a "CoreMetrics" tracking cookie, the "DSO Exploit" and "Windows Media Player" registries.

    Alexa Related: What's related link (Replace file, fixing failed)

    CoreMetrics: Tracking cookie or cookie of tracking site (File, fixing failed)
    C:\Documents and Settings\Default User\Cookies\image@data.coremetrics[2].txt

    DSO Exploit: Data source object exploit (Registry change, fixing failed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    Windows Media Player: Client ID (Registry change, fixing failed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

    Ad-Aware doesn't even find them. I'm using Spybot version 1.2 with full updates. Version 1.3 is setup differently and won't allow itself to be installed on my network machine without Administrator rights. I'll post my HiJackThis log below. Any ideas?

    Thanks for your help. :)


    Logfile of HijackThis v1.97.7
    Scan saved at 5:02:34 PM, on 5/16/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\LivePerson\hc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Neiman Marcus
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Avaya_DSI] c:\program files\avaya\dsi\dsimarquee.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Eventlog] C:\WINNT\Winupdate.exe
    O4 - Startup: LivePerson.lnk = C:\Program Files\LivePerson\hc.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
    O16 - DPF: {3E82AD03-5696-11D3-80E1-0008C773BE28} (RSRadioTuner Class) -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) -
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) -,3,2,20802
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ss5001/viewer/activeXViewer/
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nmg
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nmg
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nmg
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi infuryum,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

    O4 - HKCU\..\Run: [Microsoft Eventlog] C:\WINNT\Winupdate.exe

    Download and run:
    Use the Fix button and follow the instructions you will receive.

    And get the correct version of wmplayer.exe here:

    Then reboot into safe mode and delete:

    Still in safe mode replace wmplayer.exe with the version you downloaded.


Thread Status:
Not open for further replies.