Lots of spyware Help!!

Discussion in 'adware, spyware & hijack cleaning' started by bandonisp, Apr 7, 2004.

Thread Status:
Not open for further replies.
  1. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    Have run adware and sbybot. I am using Mozilla browser to ge to the internet. IE will not work.
    Here is the log!! Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 12:05:20 PM, on 4/7/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\EXPLORER.EXE
    C:\WINDOWS.000\TASKMON.EXE
    C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS.000\RUNDLL32.EXE
    C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
    C:\HIGHJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS.000\APPLICATION DATA\IEEA\IEEA.DLL
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS.000\APPLICATION DATA\IEEA\MSIESH.DLL
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS.000\APPLICATION DATA\IEEA\MSSEARCH.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS.000\IMAGE.DLL,Install
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS.000\IMAGE.DLL,Install
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_99/QDow.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,452
    Location:
    North Carolina, USA
    Hi bandonisp,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS.000\APPLICATION DATA\IEEA\IEEA.DLL
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS.000\APPLICATION DATA\IEEA\MSIESH.DLL
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS.000\APPLICATION DATA\IEEA\MSSEARCH.DLL

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS.000\IMAGE.DLL,Install

    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS.000\IMAGE.DLL,Install

    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)

    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_99/QDow.cab

    Download CWShredder and run. A new version was released today. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    mshp.dll <-- You may have to do a search for this file.
    C:\PROGRA~1\TOOLBAR\ <-- entire folder
    C:\WINDOWS.000\APPLICATION DATA\IEEA\ <-- entire folder
    C:\WINDOWS.000\IMAGE.DLL

    Reboot and then post a fresh HijackThis log.

    I also urge you to Keep your copy of Windows up to date by going HERE. This will help cut down on your chances of reinfestation.

    Some tips and links that will help you stay safe on-line can be found HERE.

    And here is a good read about how to be better protected : Click Me.

    Regards,
    Kent
     
  3. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    IE is working thanks much to the Forum. Many thanks.
    Here is are fresh log. We did alll of the above.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:42:57 PM, on 4/7/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\EXPLORER.EXE
    C:\WINDOWS.000\TASKMON.EXE
    C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
    C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
    C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
    C:\WINDOWS.000\SYSTEM\PSTORES.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
    C:\WINDOWS.000\SYSTEM\RPCSS.EXE
    C:\WINDOWS.000\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\HIGHJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://3rs.homestead.com/onramp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = members.connectto.net
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=members.connectto.net
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,452
    Location:
    North Carolina, USA
    Hi bandonisp,

    Your log looks clean now.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.