Help !

Discussion in 'adware, spyware & hijack cleaning' started by Rudders, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. Rudders

    Rudders Guest

    hope this is the right thread - Apologise if it aint :oops:

    Mate has this problem http://www.symantec.com/avcenter/venc/data/adware.dynamic.html

    he`s followed all the instructions on how to remove it , but to no avail .. The Problems being

    1:- he`s now got a new and unwanted search engine , going FRom MSN to Yougoo (gawd knows what that is :eek:)

    2:- he cannot connect to his HomePage , he doesn`t think he`s lost all connectivity , because he`s under the impression that his WinMix is still running in the Background

    3:- he also had an item placed on his DeskTop *Hot Kiss* he said he`s deleted that

    any suggestion ... Pleeez
    Thanx in advance - Rudders :cool:
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Rudders, welcome :)

    Can you please download HijackThis and post a log here?

    HijackThis

    Open -> doubleclick hijackthis.exe -> scan -> save log as a .txt file and copypaste the complete contents here. We'll be glad to have a look.

    You can save hijackthis.exe on a floppy disk and run it from your mate's PC.

    Thanks!

    Cheers,
     
  3. Rudders

    Rudders Guest

    you couldn`t post the Url for that could ya , Mate , coz i`m actually doing this for a mate :cool:
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
  5. Rudders

    Rudders Guest

    "Click on HijackThis in his post and you will see it downloads " yeah , i realised that :p but he`s in a totally different city to me, so i was thinking of passing the Url on - you gave it me now anyroad , so lets get this ball rolling :D next time i visit will be tonight , sometime :cool:

    Ta - Rudders
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi rudders,

    Yea it was hyperlinked, sorry about that.

    I thought it would be easier if you downloaded HijackThis and extract it on a floppy disk, so the hijackthis.exe is on it. Then take that floppy to your mate's PC and run HijackThis from a:/

    Just in case your mate isn't able to dl HT or some spyware redirection doesnt allow you to the download URL. I'm probably too paranoid, but i talk from experience that I regret not taking my floppy with me when I clean a system somewhere :cool:

    Keep us posted!

    Cheers,
     
  7. Rudders

    Rudders Guest

    just incase you`d thought i`d forgotten about ya , thought i`d pop by and give you the latest ;) in the end i had to e-mail him Hijac lol because his floppy disk wasn`t working at work , i`ve mailed it him anyhoo , whether or not he`s recieved it is another story , because , as i stated in my first post , he`s not 100% sure whether or not he`s connected :'( .

    Right then , thats you up to speed :D but while we`re waiting for him , lets fear the worse , shell we , and lets say he`s totally lost his Inter Net Connection , is there owt else he could try - which i could pass on to him tomorrow say .. do remember tho , this will only go into action if Plan A. fails :eek: Plan A. being me coming back on here with that Hijac thingy ma jig list

    The Very Greatful - Rudders :cool:
     
  8. Rudders

    Rudders Guest

    here you go :cool:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:58:09, on 04/12/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)


    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Reboot.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037
    O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Rudders,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=C:\WINDOWS\TEMP\VTAgentReboot.exe
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL

    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

    Reboot and delete:
    C:\WINDOWS\NEM214.DLL

    Regards,

    Pieter
     
  10. Rudders

    Rudders Guest

    Cheers Matey :cool: will pass this info on
     
  11. Rudders

    Rudders Guest

    just had this back from him

    running hijack this? ticking the little boxes and deleting the files.
    I need to copy a copy of Isp.dll across

    and then after restarting i need to delete
    C:\Windows\NEM214.DLL
    IS that right?


    is he correct ?

    The ever increasingly greatful - Rudders :D
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Check the boxes before the lines I posted, make sure all other windows are closed before clicking Fix checked.

    Then restart the computer and delete C:\Windows\NEM214.DLL

    No additional action is required for the lsp.dll

    Regards,

    Pieter
     
  13. Rudders

    Rudders Guest

    just had this off him

    Well what happens to ISp.dll theno_O?
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    HijackThis will remove it from the winsock stack.

    Note: now I see why the worries. It is not ISP.dll but lsp.dll
    Not put their by your ISP but by spyware.

    Regards,

    Pieter
     
  15. Rudders

    Rudders Guest

    Cheers Pieter :cool: just a quicky this time ..he would like to know

    .. what lsp.dll does?
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Rudders,

    It hijacks the winsock and is part of this: http://www.doxdesk.com/parasite/ShopAtHomeSelect.html

    Regards,

    Pieter
     
  17. Rudders

    Rudders Guest

    Ta Muchly Pieter :cool:

    i`ll let you know how he gets on - it`ll be sometime over the weekend

    Rudders
     
  18. Rudders

    Rudders Guest

    weh`hay Pieter , tiz now sorted :D :cool:

    Thanx for your time & effort mate , tiz truely Appreciated

    a very happy Rudders and and even happier Friend of Rudders lol ta :cool:
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Rudders,

    That's great news. :)

    Glad we could help.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.