Help !

Discussion in 'adware, spyware & hijack cleaning' started by Rudders, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. Rudders

    Rudders Guest

    hope this is the right thread - Apologise if it aint :oops:

    Mate has this problem http://www.symantec.com/avcenter/venc/data/adware.dynamic.html

    he`s followed all the instructions on how to remove it , but to no avail .. The Problems being

    1:- he`s now got a new and unwanted search engine , going FRom MSN to Yougoo (gawd knows what that is :eek:)

    2:- he cannot connect to his HomePage , he doesn`t think he`s lost all connectivity , because he`s under the impression that his WinMix is still running in the Background

    3:- he also had an item placed on his DeskTop *Hot Kiss* he said he`s deleted that

    any suggestion ... Pleeez
    Thanx in advance - Rudders :cool:
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Rudders, welcome :)

    Can you please download HijackThis and post a log here?

    HijackThis

    Open -> doubleclick hijackthis.exe -> scan -> save log as a .txt file and copypaste the complete contents here. We'll be glad to have a look.

    You can save hijackthis.exe on a floppy disk and run it from your mate's PC.

    Thanks!

    Cheers,
     
  3. Rudders

    Rudders Guest

    you couldn`t post the Url for that could ya , Mate , coz i`m actually doing this for a mate :cool:
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  5. Rudders

    Rudders Guest

    "Click on HijackThis in his post and you will see it downloads " yeah , i realised that :p but he`s in a totally different city to me, so i was thinking of passing the Url on - you gave it me now anyroad , so lets get this ball rolling :D next time i visit will be tonight , sometime :cool:

    Ta - Rudders
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi rudders,

    Yea it was hyperlinked, sorry about that.

    I thought it would be easier if you downloaded HijackThis and extract it on a floppy disk, so the hijackthis.exe is on it. Then take that floppy to your mate's PC and run HijackThis from a:/

    Just in case your mate isn't able to dl HT or some spyware redirection doesnt allow you to the download URL. I'm probably too paranoid, but i talk from experience that I regret not taking my floppy with me when I clean a system somewhere :cool:

    Keep us posted!

    Cheers,
     
  7. Rudders

    Rudders Guest

    just incase you`d thought i`d forgotten about ya , thought i`d pop by and give you the latest ;) in the end i had to e-mail him Hijac lol because his floppy disk wasn`t working at work , i`ve mailed it him anyhoo , whether or not he`s recieved it is another story , because , as i stated in my first post , he`s not 100% sure whether or not he`s connected :'( .

    Right then , thats you up to speed :D but while we`re waiting for him , lets fear the worse , shell we , and lets say he`s totally lost his Inter Net Connection , is there owt else he could try - which i could pass on to him tomorrow say .. do remember tho , this will only go into action if Plan A. fails :eek: Plan A. being me coming back on here with that Hijac thingy ma jig list

    The Very Greatful - Rudders :cool:
     
  8. Rudders

    Rudders Guest

    here you go :cool:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:58:09, on 04/12/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)


    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Reboot.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rudders,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL

    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

    Reboot and delete:
    C:\WINDOWS\NEM214.DLL

    Regards,

    Pieter
     
  10. Rudders

    Rudders Guest

    Cheers Matey :cool: will pass this info on
     
  11. Rudders

    Rudders Guest

    just had this back from him

    running hijack this? ticking the little boxes and deleting the files.
    I need to copy a copy of Isp.dll across

    and then after restarting i need to delete
    C:\Windows\NEM214.DLL
    IS that right?


    is he correct ?

    The ever increasingly greatful - Rudders :D
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Check the boxes before the lines I posted, make sure all other windows are closed before clicking Fix checked.

    Then restart the computer and delete C:\Windows\NEM214.DLL

    No additional action is required for the lsp.dll

    Regards,

    Pieter
     
  13. Rudders

    Rudders Guest

    just had this off him

    Well what happens to ISp.dll theno_O?
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    HijackThis will remove it from the winsock stack.

    Note: now I see why the worries. It is not ISP.dll but lsp.dll
    Not put their by your ISP but by spyware.

    Regards,

    Pieter
     
  15. Rudders

    Rudders Guest

    Cheers Pieter :cool: just a quicky this time ..he would like to know

    .. what lsp.dll does?
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rudders,

    It hijacks the winsock and is part of this: http://www.doxdesk.com/parasite/ShopAtHomeSelect.html

    Regards,

    Pieter
     
  17. Rudders

    Rudders Guest

    Ta Muchly Pieter :cool:

    i`ll let you know how he gets on - it`ll be sometime over the weekend

    Rudders
     
  18. Rudders

    Rudders Guest

    weh`hay Pieter , tiz now sorted :D :cool:

    Thanx for your time & effort mate , tiz truely Appreciated

    a very happy Rudders and and even happier Friend of Rudders lol ta :cool:
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rudders,

    That's great news. :)

    Glad we could help.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.