I hope someone can help because I am so frustrated

Discussion in 'adware, spyware & hijack cleaning' started by wannie32, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. wannie32

    wannie32 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    2
    Hi there

    I am hoping someone can help because I have tried everything. Everytime I do a search with google it gets redirected to spotresult.com.I have downloaded countless spyware removal tools but to no avail. Here is my log that I saved with hijack this:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:57:06 AM, on 6/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Netropa\Touch Manager\MEDIACTR.EXE
    C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Netropa\Touch Manager\MMUSBKB2.EXE
    C:\WINDOWS\Integrator.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\WinMX\WinMX.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\mshta.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\randyc\Local Settings\Temp\Temporary Internet Files\Content.IE5\OYKUDNRM\HijackThis[1].exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmplayer.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Execulink Internet Services
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: PK¶PK¶Àȶ8¶˜¶˜¶P®¶ ˆ¶¶¶˜¶˜¶*¶*¶¨¶¨¶°¶°¶¸¶¸¶À¶À¶È¶È¶ÀFŽÀFŽØ¶Ø¶à¶à¶è¶è¶ð¶ð¶ø¶ø¶
    O1 - Hosts:  ¶˜¶˜¶*¶*¶¨¶¨¶°¶°¶¸¶¸¶À¶À¶È¶È¶Ð¶Ð¶Ø¶Ø¶à¶à¶è¶è¶ð¶ð¶ø¶ø¶
    O1 - Hosts: PK¶ð_¶¶¶˜¶˜¶*¶*¶Ø‚¶Ø‚¶°¶°¶¸¶¸¶À¶À¶È¶È¶Ð¶Ð¶Ø¶Ø¶à¶à¶è¶è¶ð¶ð¶ø¶ø¶ ˆ¶¶¶˜¶˜¶*¶*¶¨¶¨¶°¶°¶¸¶¸¶À¶À¶È¶È¶Ð¶Ð¶¨®¶¨®¶à¶à¶è¶è¶ð¶ð¶ø¶ø¶
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
    O4 - Global Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
    O4 - Global Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
    O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://www.web-cam.org/morena/morena.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
    O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - http://www.fizzlewizzle.com/installfiles/powertools.cab
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games1.cab
    O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/systemsoap/instilla.cab
    O16 - DPF: {99E79790-2B09-11D6-8C73-0800460222F0} - http://www.andlotsmore.com/plug/install.cab
    O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37984.377962963
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/1,0,3,8/us/AccesMembre.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Could anyone advise me as to what I should get rid of.

    As an aside. I repeatedly remove spyware and it keeps coming back, I noticed that the 2020 search tool bar is still in my remove install programs and I can't get rid of it. How can I stop these annoying creatures from infecting my computer??

    Thanks in advance for your help
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello wannie32,

    Start by doing this:

    Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

    Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.


    Next, you are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files while it is being run from a temporary folder.

    Run HJT again and post a new log here.
     
  3. wannie32

    wannie32 Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    2
    Thanks for your help here is my new log.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:08:43 PM, on 6/17/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\Netropa\Touch Manager\MEDIACTR.EXE
    C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\Program Files\Netropa\Touch Manager\MMUSBKB2.EXE
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINDOWS\Integrator.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\MsiExec.exe
    C:\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
    O4 - Global Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
    O4 - Global Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
    O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games1.cab
    O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37984.377962963
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Download Registrar Lite from here:
    http://www.resplendence.com/download/reglite.exe

    Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

    Copy and paste the follow text into the address bar, then hit 'Go':
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    In the pane on the right are the values associated with that key. We want to remove this one->{CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ Notice the underscore at the end, It should be the first one.

    Right click on it, and select delete.
    If you get a confirmation question, respond OK then close out the program.

    Go to Add/Remove programs and find Virtual Bouncer and if it is there, Remove it.

    Next,
    Click Start, and then click Run. (The Run dialog box appears.)
    Type regedit

    Then click OK. (The Registry Editor opens.)
    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    In the right pane, delete any values pertaining to "Virtual Bouncer."
    Exit the Registry Editor.


    Run Hijackthis again and check these entries and then on Fix:

    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/Dist...r2501031120.EXE

    Reboot and post a new log here.
     
Thread Status:
Not open for further replies.