# DEREK:Hijacked by about Blank and Search for...

Discussion in 'adware, spyware & hijack cleaning' started by Allen Williams, Apr 23, 2004.

Not open for further replies.
1. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
FONT=Times New Roman]Derek, Here is the information the way you wanted it. Thanks for any help in this. Hope to here something very soon. E-mail me when you got something for me to do. Here goes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TBPanel.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\kcoazfdx.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\PROGRA~1\INCRED~2\bin\IBMain.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This Zipped\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IBBHO - {12BA043E-293E-4CE4-A8C7-8460934FE801} - C:\Program Files\IncrediBar\bin\IBBHO.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {85C7EDF7-FA42-4388-B006-807065BA6648} - C:\WINDOWS\System32\pekp.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msole.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MagnifyingGlass] A:\Magnifying Glass.exe /autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [lvaiuxxa] C:\WINDOWS\System32\kcoazfdx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: ScreenThemes.lnk = C:\scthemes\scthemes.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.6371643519
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3FC61F-3067-44CB-A59C-40179AD94219}: NameServer = 151.164.1.8 207.193.229.1
Allen <snip>

Last edited by a moderator: Apr 23, 2004
2. ### puff-m-dRegistered Member

Joined:
Feb 13, 2002
Posts:
4,537
Location:
North Carolina, USA
Hi Allen,

Welcome to Wilders.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pekp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {85C7EDF7-FA42-4388-B006-807065BA6648} - C:\WINDOWS\System32\pekp.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msole.dll

O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [lvaiuxxa] C:\WINDOWS\System32\kcoazfdx.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab

There also may be hidden files. See HERE for how to show hidden files.

Then reboot into safe mode and delete:

C:\WINDOWS\System32\pekp.dll
C:\WINDOWS\System32\msole.dll
sysdll.reg You may have to do a search for this file.
C:\WINDOWS\System32\kcoazfdx.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

3. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Kent,
Did what you said. When I rebooted into safe mode, however; I did not see the c:\Windows\System32\pekp.dll or the other ones you told me to delete. Where are they? When I ran Hijack This again, the R1 with about Blank at the end was at the top of the list. I fixed that. All others were not the ones you told me to check off. I rebooted and about blank was still on my Internet browser but the page was blank. I reset my browser to my home page and applied and clicked okay and closed IE and re-opened it. About blank was gone. It was also on my preview panes (Search for..) in my Incredimail mail service when all files were deleted and nothing was showing. I went back to my mail and checked it was gone now. So it seems that it worked. Do you have any idea where I picked this thing up at, so that I don't go back there again?
As you requested, here is my Hijack These are the results after I did what you told me. I will be standing by to see if there is anything else I need to do. Thank You so much so far. It is appreciated that good guys like you and Derek are out here to help us. By the way, what do I do with all of the backups that were created when I did this? Are they necessary? They are in the file where I have Hijack This located.
Here it is:
Logfile of HijackThis v1.97.7
Scan saved at 10:17:42 PM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TBPanel.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~2\bin\IBMain.exe
C:\Hijack This Zipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intercorp.com/
O2 - BHO: IBBHO - {12BA043E-293E-4CE4-A8C7-8460934FE801} - C:\Program Files\IncrediBar\bin\IBBHO.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MagnifyingGlass] A:\Magnifying Glass.exe /autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: ScreenThemes.lnk = C:\scthemes\scthemes.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.6371643519
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3FC61F-3067-44CB-A59C-40179AD94219}: NameServer = 151.164.1.8 207.193.229.1

Thanks Again, Ken
Sincerely,
Allen Williams <snip>

Last edited by a moderator: Apr 23, 2004
4. ### puff-m-dRegistered Member

Joined:
Feb 13, 2002
Posts:
4,537
Location:
North Carolina, USA
Hi Allen,

I would keep the backups for a few days to be sure all is OK and that I did not advise you to fix something you should not. It is sort of like a safety net . As far as to where you got it etc., below I have listed some good reads and things you can do to protect yourself in the future.

Some things you should read and check into:

And here is a good read about how to be better protected : Click Me.

To help keep your system clean, these are also freeware programs that we recommend:
SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
Spybot Search&Destroy
SpybotS&D Setup Tutorial.
Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

Regards,
Kent

5. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Thanks a bunch Kent. So far, so good. I am taking your advise and downloading all of the programs and updating windows now. I really do appreciate the fast response. I was waiting for Derek, but you were there and quick. I hope I didn't offend Derek. Take care and have a great weekend. You've made a friend. Both of you.
Sincerely,
Allen Williams, Enid, Oklahoma

6. ### puff-m-dRegistered Member

Joined:
Feb 13, 2002
Posts:
4,537
Location:
North Carolina, USA
Hi Allen,

We are one big team here at Wilders so I am sure you did not offend anyone. We are all here to help and it was my pleasure to help you.

Regards,
Kent

7. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Kent,
I opened it up again today... and guess what? It was back. I repeated the steps and I also ran cw shredder in safe mode. I hope I got it this time. I couldn't download the spyblaster thing, keeps saying when I open it that I had a bad sector on my hard drive or a virus and to reinstall it. I have done that several times to no avail. I have run Nortons and it finds nothing. I have defragged and it shows no bad sectors. Got any ideas why I can download this thing and use it? I haven't tried the others. I have SpyBot Search and destroy. Do these two get along? Does my Norton's keep it from installing somehow? I disabled it, just to try to install and it did no good. Don't have a clue. Let me know something. I want to protect myself to the max. This is frustrating.
Thanks. I will check back in a little while to see if you posted anything.
Sincerely, Allen

8. ### puff-m-dRegistered Member

Joined:
Feb 13, 2002
Posts:
4,537
Location:
North Carolina, USA
Hi Allen,

This is a new problem with installing SB and we think CWS is involved. It appears something is getting left behind that is interfering with the SB install. The Experts here are hard at work trying to figure out a fix for this as you are not alone with the problem. Hopefully we will find the culprit soon.

Regards,
Kent

9. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Hello Kent,
I am still experiencing some weird stuff here. I installed Spy Guard and it keeps popping up and saying that about blank is still trying to change my settings. At first I thought it was a web site I was at, but when I closed IE down and downloaded the latest Microsoft updates, when I re-opened and default to my home page, it popped up again. I just kept clicking restore until it went away. Then I came straight to this site to tell you about it. It appears to me that I must be missing something somewhere that keeps allowing this thing to load again and again. I am glad I got that Spyguard or it would have done it to me again. But it keeps repeating itself and I spend most of the time so far clicking restore. Please respond soon so I can get to work on this. Tell me what to do or what you need to know.
Thanks, For all of your help.
Sincerely, Allen

10. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Kent,
I went ahead and run Hi Jack This and this is what I got. It seems that it just keeps coming back. It appears that it stays gone as long as I don't shut down and reboot. I just don't get it. I have done everything, step by step and checked and rechecked to make sure I did everything I was supposed to. It seems like it is in the very root of the system but I don't know how to get to it. I never did do the delete portion of C:\Windows\System32\pekp.dll and the others you said to do. I don't know exactly how to do that part. Maybe that is where I went wrong? I know that when I rebooted in safe mode, I did not see those files. Were they supposed to be there or are they located somewhere else?
Here's the information off of the Hijack This Log:
Logfile of HijackThis v1.97.7
Scan saved at 8:45:08 PM, on 4/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\TBPanel.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~2\bin\IBMain.exe
C:\Hijack This Zipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intercorp.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nligeca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http//www.intercorp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nligeca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IBBHO - {12BA043E-293E-4CE4-A8C7-8460934FE801} - C:\Program Files\IncrediBar\bin\IBBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MagnifyingGlass] A:\Magnifying Glass.exe /autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.6371643519
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3FC61F-3067-44CB-A59C-40179AD94219}: NameServer = 151.164.1.8 207.193.229.1
Thanks Again for any help.
Sincerely, Allen

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
12. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Dear Pieter,
Well I went to the site like you said and downloaded and unzipped it, but all I get are two DOS files. When I click on them, all they do is flash and they don't do anything. Or I don't see anything happening. No instructions at the site, so I don't know what it is doing. I waited but nothing happens. What am I doing wrong?
Standing by.... Allen and thanks for taking time to help me.

13. ### Pieter_ArntzSpyware Veteran

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
Hi Allen,

In the folder that holds find.bat and xfind.com a txt file should be created. Can you post the content of that one.

Regards,

Pieter

14. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Pieter,
When I click the 1kb file a folder was created and when I opened it Notepad shows this. C:\WINDOWS\System32\CTSPKHLP.DLL +++ File read error
That is all that is in there. Is this what you are looking for? When I click the other file MS DOS application, it starts to open a small DOS window only for a split second and then it goes away. There is information there, but it flashes so fast I cannot read it and pause does not work to freeze the screen. Nothing else shows up. Am I doing this right? Please reply soon..with further instructions I will be standing by.... Allen

15. ### Pieter_ArntzSpyware Veteran

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
Yes that is the information we will need later on.

Next, do this:
open the registry from start/run/regedit
And expand the following:
*HKEY_CLASSES_ROOT\PROTOCOLS\Filter
RightClick the 'filter' key, choose 'export' name it and save in location of choice

Navigate to this key next:
*HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Windows
Find this value on the right panel:
"Appinit_Dlls"< RightClick and rename to:
->'Appinit_Dlls1'
Close regedit, reopen it to the same key, Hilite the
'Windows' key there,
Export it the same way and save in location of choice

Lastly, navigate to:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects<
Export that Subfolder the same way.
And proceed to do the following:

RightClick Security/permissions on 'Browser Helper Objects'
"inherit from parent...permissions" lower box.
Hit ok' and 'remove' on next prompts.

That will prevent it from spreading further.

you saved, RightClick each -> edit, copy the
contents and post here, along with new hijackthis log.

Regards,

Pieter

16. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Pieter,
I did what you said step by step. I have run Hijack This, and CW Shredder again, earlier tonight and I have not had any problems so far after this. One site said when I do this, undo system restore first. So I have, and I have not re-activated it yet. I don't think I want to activate it until this is cured right? Be sure to tell me again on how to reactivate that permission thing when ever we get done, if I need to. It told me that it could not open browser object when I clicked ok. Well here are the files first: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12BA043E-293E-4CE4-A8C7-8460934FE801}]
@="IBBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71ED4FBA-4024-4bbe-91DC-9704C93F453E}]

@="NAV Helper"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs1"=""
"AppInit_DLLs"=""

Here is the Hijack Log:
Logfile of HijackThis v1.97.7
Scan saved at 10:21:10 PM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\TBPanel.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~2\bin\IBMain.exe
C:\WINDOWS\regedit.exe
C:\Hijack This Zipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intercorp.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http//www.intercorp.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MagnifyingGlass] A:\Magnifying Glass.exe /autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.6371643519
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3FC61F-3067-44CB-A59C-40179AD94219}: NameServer = 151.164.1.8 207.193.229.1

I really do appreciate your help in this matter. I haven't had the chance to download Adaware yet. But from all indications that I have read on this problem, it probably won't do much good to try to use it. Right? I will download it when this is all over with though. By the way, has Spyblaster been fixed yet? I have tried several times with no success yet.
What time do you get on this site and check things? Is it during the day? Tell me so I know when you might be here. And how do you know that I have replied? Do you get a flag or something? Is there a way on this site to be e-mailed when someone replys to your post or reply?
Thanks again,
Sincerely,
Allen Williams in Enid, Oklahoma

17. ### Pieter_ArntzSpyware Veteran

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
Hi Allen,

Adaware would have helped a bit but not much I think.
Find and delete the
following subfolders via the registry, (be very cautious and do not delete anything else!)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{85C7EDF7-FA42-4388-B006-807065BA6648}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{807553E5-5146-11D5-A672-00B0D022E945}
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html< <- delete
text/plain< <- delete

http://www10.brinkster.com/expl0iter/freeatlast/CopyLock.zip

set up these options:
-Check- 'Show Source paths'

Click the 'Add' tab->'Files to rename'
In the 'Look in..' Dialogue box navigate to your
C:\WINDOWS\System32 directory and stop there!
(*you will not see the file!)
Copy and paste into the 'File name' field:
C:\WINDOWS\System32\CTSPKHLP.DLL
In the result (destination) erase entire output (copy of...) and
CTSPKHLP.DLX
Hit 'ok' (On warning of different extension as well)
and on the main box hit the->'Apply' tab
**You will be asked to restart computer!
Do so right away, next--
navigate to System32 and delete the "CTSPKHLP.DLX"
file, as it'll be visible!

***ATTENTION***
means it will not work.

If that all works the it is time to deploy AdAware.

Regards,

Pieter

18. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Hello Again Pieter,
Well I had a little success in your instructions. I was successful at finding only two of the files you told me. I could not locate the first file you told me to do. I even used find and it was not there. I was able to get to the second file and I deleted it only. The third file I was able to delete the test/html but the text/plain was not there. I downloaded Copy Lock as instructed but I could not get it to work on your instructions. When I tried to copy and pastE the CTSPKHLP.DLX into the destination it would say source no longer exists. Rather than try anything different, I stopped after about three tries. Following your instructions to the letter. I know these are tricky so I didn't do anything else. I have not had Spyguard pop up with anything today, so far. I am going to go and download Adaware now. I guess Spyguard is still not working? You never said. Is there anything else that you need to see? Or are we there as far as we can go? I am really impressed with your knowledge. I don't have a clue as to what I am doing when I do what you say. Let me know if you need to tell me anything else. I will check back here in a little while.
Thanks again,
Sincerely,
Allen in Enid, OK

19. ### Pieter_ArntzSpyware Veteran

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
Hi Allen,

I hope nothing has changed in the sense that it came back.
Every little succes against this one gives me a little courage to try another. Unfortunately this one seems to have the upper hand for now.

Regards,

Pieter

20. ### puff-m-dRegistered Member

Joined:
Feb 13, 2002
Posts:
4,537
Location:
North Carolina, USA
Hi JOEZ,

I am splitting your post off from this thread so it will get more attention. This both cuts down on confusion and adheres to the policy of only one poster with a problem to a thread. You can find your thread HERE.

I am also deleting one of the posts as you double posted.

Regards,
Kent

21. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Hi Pieter,
Had a letter all typed out and I forgot to send it and X'd out of this page. Stupid me! I have had some weird things happening. I think I have nailed some of what is going on. When I came here earlier, I was hit with the Welchia Worm virus as soon as I opened this site. Nortons blocked it though. I was also hit at the same time with about Blank on this site. Earlier today, when I went to Google that was saved in my favorites, and I was hit with about Blank. I thought, well this site must be infected or I got infected here somehow, cause I have been using Google Search for awhile now. And I save most of my favorites from this searching machine. Is it possible that MY Favorites are contaminated some how? Is there a way to check it? Do I need to delete all of them and start over? Please let me know what you think. After I got hit here. I closed everything down, ran a search to see where about blank was. Went and did the Hi-jack this thing, and the CWshredder thing to. I have also found another one through my searches that was in there called AVserve.exe. This thing makes your cpu run at 100% and finally overloads the computer and it shuts down. I did some checking through all the about blank attacks and Spygaurd fending it off, and found out that it is a form of a virus. So I searched and found all the files, and deleted all of them. Nortons doesn't see this one either. I have found another file in the task manager that behave simular to AVserve. It is ns.exe. I tried to stop it, but windows won't let me. It doesn't appear to shut me down, but it keeps the CPU running at 100% showing tasks between 90 and 96 all the time, when nothing appears to be open or running. I am stumped on this one. Do you know what it is?
Also, I cannot access my system information now. That is the message I get when I open System Information. Any idea on how to get it back to running again? And... don't we need to reactivate the stuff we renamed and put in another place? Don't we need to put it back? Also when I boot up I get this message that a file cannot be found, it is called \\.\DRI_KBFiltr. I have no idea what this is or why it is saying that it cannot be found. Got any ideas?
Well, things are weird, but I think I am starting to see some of the picture. I will appreciate any advise on what to do about the things I have mentioned. I want you to know that I do appreciate your help in this adventure. I would rather be doing something else on the computer than doing this though. I have to be honest. After a while it really gets maddening.
Take care and hope to hear from you soon.
Sincerely,
Allen in Enid, Oklahoma

22. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Pieter,
One quick note, after I cleared everything out, I deleted your site from my favorites and found it again through Lycos search. Came into the site and nothing happened. No, attacks. This leads me to believe something is in my favorites through maybe Google somehow. Does this confirm it?
Allen

23. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Pieter, I still need to know some things.

Pieter,
I have waited for a reply but haven't seen one in several days. I have switched to high speed cable Internet and when I did all the problems seem to have disappeared somehow. I am not getting constantly hijacked anymore. Last night before I made the switch I was being hit about every thirty seconds with my browser being changed. It was even hitting me, when I was not on the Internet. Don't know how that was happening.
Since we done what we have or the troubleshooting and moving this and that, I can no longer access my system information. When I try it just says Can't collect information.Says files may have been moved or missing. Can you tell me how to put it back?
In the past the Sasser virus that I had, kept me from getting Windows Critical updates. I now have been able to install all of them except one. It is the one that is supposed to keep Sasser out. It's number is KB835732. I have tried over and over and the installation fails. I have tried deleting the info in the WUTemp that has a file called: Windows Cab folder and file that contains a partial install of the update. Windows help said to try this. But when I try to reinstall it does the same thing over and over. I thought maybe my Internet Explorer had been damaged so I went looking for the place windows told me it would be and I couldn't find it to use the repair tool. Can you tell me where it might be located at?
I also have noticed that since we did what we did about deleting and moving things around, everytime I boot up I get one file could not be found message. I don't know what it belongs to. it (the file name) appears like this: \\.\DRI_KBFILTR Do you know what this is and how I can fix it or remove it if necessary?
I would appreciate another helping hand to get me back to where I was. I have updated all virus protection to get the Sasser from now on, as well as CWshredder, Hijack this, I have installed Spyguard, Spysweeper and numerous other protections. I have not been successful yet about Spyware Blaster yet or Adaware. Can't seem to get Adaware to download. But that was with my phone modem connection. I will try again with my cable connection. I will also do the same for Spyware Blaster.
It has been a very frustrating week but I feel I have had some success. I won't be peaceful until we get what I mentioned above back and undercontrol. Please help.
Thanks,
Allen

Joined:
Apr 27, 2002
Posts:
13,359
Location:
Netherlands
25. ### Allen WilliamsRegistered Member

Joined:
Apr 23, 2004
Posts:
17
Location:
Enid, Oklahoma 73703
Pieter,
Just to let you know, I appreciated your help. It turns out not only was it the Sasser Worm which I used McCaffee and Nortons to surely kill it, but it was the Cool Web Search that was really giving me the problem. I kept using, CWshredder, Hi-Jackthis and Spybot Search and destroy. But they would only get it temporarily. My problem was I went to Lava Soft and kept trying to download Adaware from their site. Evidently it is a very busy place for downloading and I couldn't ever get connected. So I searched for another site finally and I found one and it only took a few seconds to do and just a few minutes to run. After all of the others working on removing this thing, Ad a ware found 32 additional files that were infected and I told it to delete them all. So far tonight, I not had one reoccurance. In past it was hitting me every thirty seconds.
Now, let's get down to the parts that I asked you about before on my Systems Registry and things we put into another folder to keep this in check. How do I restore those things we put in there? I cannot read my system information now, that we have done what we did. Explain to me those folders as to what they are and just what it is they do. Also, the backup logs in Hijack this, what do I do with them? One thing that is really strange is, since all of this happened, I go to the Microsoft Updates and I can download and install every critical update,except one. And that is the one for the prevention of the Sasser. It is KB835372. It just hangs when I try to install it and when I try to manuever away from it, it says that installation will not be complete. It is only a 284 Kb file. I don't get it. I can find the Cab file in the registry and delete it to try to redo it, but the results are the same. Can't install it. Have you heard of this before?
Please answer the above questions if you can, or direct me to a page or someone that can. Again, I do appreciate all of your help. I couldn't have got this far with out your assistance. Take care and I hope good things come your way.
Sincerly, Allen in Enid, Oklahoma, USA