Just canèt do it alone

Discussion in 'adware, spyware & hijack cleaning' started by themightystone, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. themightystone

    themightystone Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    2
    Had a friend drop his win 98 box in my lap and I just cannot seem to get rid of a couple of adwarespywareéhijacks. I have done all the windows updates, Norton is up to date and run and Ad aware just keeps fing the same thing every time I reboot. I decided to try out HIJACK THIS and post to this column, because I have had good advice and help here before. Any help would be appreciated. Hereès the HIJACK THIS log...

    Logfile of HijackThis v1.97.7
    Scan saved at 11:54:50 PM, on 7/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\PROGRAM FILES\README MEMO CURB\DENTCASHPLATFORM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\PROGRAM FILES\PALM\HOTSYNC.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\D2KNDR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://look-today.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [seek obj] C:\PROGRA~1\README~1\DentCashPlatform.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: Enjoy It (HKLM)
    O9 - Extra 'Tools' menuitem: Enjoy It (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//ndrs/main.chm::/load.exe

    Ièm sure that itès as bad as I think, but i just donèt want to have to do a format and reinstall on this machine, especially because the friend really does not know what they need saved. Ièm an advocate of a good formating, but just not in the mood. And it seems the french keyboard function is turned on and now I look like I cannot type...grrrr

    Thanks in advance to anyone that can help me out.

    Stone
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI themightystone

    First of all you have a trojan on your computer:

    O4 - HKLM\..\Run: [Mscnt] c:\windows\system\mscnt.exe /noconnect <------ trojan: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MOSCENT.A

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Ad-aware *
    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. themightystone

    themightystone Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    2
    I followed your directions as best I could, seems that you thought I was operating in XP, when I am actually in Win 98. Anyhow, I seem to still be getting a reoccurence of the look today pest. Here is the log

    Scan saved at 11:45:58 PM, on 7/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\README MEMO CURB\DENTCASHPLATFORM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNWIN32.EXE
    C:\PROGRAM FILES\PALM\HOTSYNC.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [seek obj] C:\PROGRA~1\README~1\DentCashPlatform.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
    O4 - HKCU\..\Run: [dllhelp] c:\windows
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: Enjoy It (HKLM)
    O9 - Extra 'Tools' menuitem: Enjoy It (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//ndrs/main.chm::/load.exe

    As before, Norton is fully updated, Ad aware is fully updated. NAV detects nothing, but ad aware keeps finding new friends. More instructions or thoughts .

    Stone
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Stone,

    I am "baffled" you still have some "crap" on your computer !

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:

    DentCashPlatform.exe
    winspool.exe
    runwin32.exe
    WINPROC32.EXE

    Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
    Make sure all browser and all Windows Explorer windows are closed before fixing

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/i...p://about:blank

    O4 - HKLM\..\Run: [seek obj] C:\PROGRA~1\README~1\DentCashPlatform.exe

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe

    O4 - HKCU\..\Run: [dllhelp] c:\windows

    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//ndrs/main.chm::/load.exe

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\PROGRA~1\README~1\DentCashPlatform.exe
    C:\WINDOWS\System\winspool.exe
    C:\WINDOWS\runwin32.exe
    C:\WINDOWS\SYSTEM32\WINPROC32.EXE

    Then reboot and use UPDATED AdAware as described :
    HERE

    Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

    run HIjackThis again and pls.post a FRESH log.
     
Thread Status:
Not open for further replies.