new here, new problem

Hiya... found this forum as the result of a problem that's developed on my puter since installing SpywareBlaster 2.6 & SpywareGuard 2.2. I've looked thru several dozen of the threads here, and didn't find a problem similar to mine, so thought I'd hit you with it.

First: I'm not entirely convinced that SB or SG is the culprit; I also installed Ad-Aware 6.0 in iWon's PopUp Swatter during the same session...

Here's what's been happening, hope you can help me sort it out--

Whenever I boot up, a browser window automatically opens w/ a URL of http:///U. Not surprisingly, it doesn't come up w/ a page...

In addition, I get massive numbers of pop-ups... EVEN IF I DON'T HAVE MY BROWSER OPEN (I have a constant-on DSL connection)... something that never happened before.

Also, my taskbar frequently doesn't appear (I use the "auto-hide" feature), or-- if it does show up-- is very slow to react when I mouse over it.

I am running Win98SE, IE6.0 as my browser.

Once this problem appeared, I ran Spybot S&D, Ad-Aware, and ensured that all the choices in SB were selected. No change. Then, I uninstalled all of the above (as well as the iWon PopUp Swatter)... to no avail. Reinstalled all of them, one at a time, removed the spyware / adware that was indicated... ditto.

After finding this site (which is great, btw), and reading thru some of the posts, I downloaded and ran the CWShredder (not present, it seems), and Hijack This. If it helps, here's the log from the latter:

Logfile of HijackThis v1.96.4
Scan saved at 10:10:54 PM, on 8/31/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TWEAKMASTER\TWMASTER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\E_S0HIC1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\BUNL.EXE
C:\WINDOWS\SYSTEM\ITU0X69I.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWI~1.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\FREECELL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.135.208.87 pages.ebay.com
O1 - Hosts: 207.44.152.117 www.mtv411.com
O1 - Hosts: 207.171.181.16 www.amazon.com
O1 - Hosts: 66.135.194.135 search.ebay.com
O1 - Hosts: 64.95.118.42 www.epinions.com
O1 - Hosts: 216.73.86.90 ad.doubleclick.net
O1 - Hosts: 64.105.205.186 www.consudem.com
O1 - Hosts: 213.26.57.113 www.motorcycle-motonline.com
O1 - Hosts: 212.239.37.75 www.motonline.com
O1 - Hosts: 212.239.37.69 ads.motonline.com
O1 - Hosts: 64.77.21.152 www.sportbikereview.com
O1 - Hosts: 193.10.250.156 www.solace.mh.se
O1 - Hosts: 65.125.171.200 www.mcnews.com
O1 - Hosts: 64.70.10.86 img.mediaplex.com
O1 - Hosts: 66.96.195.99 www.aboutstreetbikes.com
O1 - Hosts: 209.234.66.40 www.sportbikes.dhs.org
O1 - Hosts: 208.179.57.123 www.motorcycle.com
O1 - Hosts: 64.49.254.211 www.esportbike.com
O1 - Hosts: 12.8.126.136 www.2wf.com
O1 - Hosts: 66.70.189.18 www.rrzone.com
O1 - Hosts: 216.156.210.71 www.airtech-streamlining.com
O1 - Hosts: 212.159.8.1 www.bmdesigns.co.uk
O1 - Hosts: 206.105.10.254 www.atvsandmotorcycles.com
O1 - Hosts: 65.213.230.38 adcache.cycletrader.com
O1 - Hosts: 65.213.230.82 www.cycletrader.com
O1 - Hosts: 65.214.39.7 www.ask.com
O1 - Hosts: 65.214.39.242 web.ask.com
O1 - Hosts: 204.117.194.46 www.motorcycleshopper.com
O1 - Hosts: 66.135.192.148 cgi.ebay.com
O1 - Hosts: 212.187.153.20 www.guardian.co.uk
O1 - Hosts: 212.187.153.203 ads.guardian.co.uk
O1 - Hosts: 208.45.172.46 cf.local6.com
O1 - Hosts: 66.221.150.220 www.sport-touring.net
O1 - Hosts: 205.214.94.117 www.nestreetriders.com
O1 - Hosts: 207.46.182.140 www.expedia.com
O1 - Hosts: 66.77.74.20 www.alltheweb.com
O1 - Hosts: 66.77.74.32 click.alltheweb.com
O1 - Hosts: 64.55.29.163 www.massport.com
O1 - Hosts: 129.33.119.130 www.tsa.gov
O1 - Hosts: 216.239.53.99 www.google.com
O1 - Hosts: 151.193.204.72 www.usairways.com
O1 - Hosts: 151.193.163.8 www.virtuallythere.com
O1 - Hosts: 208.45.133.106 sports.iwon.com
O1 - Hosts: 216.39.69.70 view.atdmt.com
O1 - Hosts: 208.45.133.136 my.iwon.com
O1 - Hosts: 168.143.179.114 images.x10.com
O1 - Hosts: 217.160.31.195 security.kolla.de
O1 - Hosts: 194.30.32.194 www.pandasoftware.com
O1 - Hosts: 216.12.211.221 shinobiresources.com
O1 - Hosts: 65.54.249.126 v4.windowsupdate.microsoft.com
O1 - Hosts: 205.180.85.71 media31.fastclick.net
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TWEAKBHO.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {A17C83C0-D32D-11D7-AB3B-00045A6AFCA6} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\2.BIN\IWONBAR.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\EasyKey.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRAM FILES\TWEAKMASTER\TWMASTER.EXE" /auto
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [52B3ET3393RCNC] C:\WINDOWS\SYSTEM\Yan1K.exe
O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SIDEWI~1.EXE
O4 - Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37737.2940972222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab

Any help / suggestions / voodoo would be greatly appreciated...

 

Hi bemused,

Welcome at Wilders.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.73.86.90 ad.doubleclick.net
O1 - Hosts: 208.45.133.106 sports.iwon.com
O1 - Hosts: 208.45.133.136 my.iwon.com
O1 - Hosts: 205.180.85.71 media31.fastclick.net
You could also consider changing the IP addresses for the O1 items above to 127.0.0.1 in your hosts file
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
O3 - Toolbar: (no name) - {A17C83C0-D32D-11D7-AB3B-00045A6AFCA6} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\2.BIN\IWONBAR.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [52B3ET3393RCNC] C:\WINDOWS\SYSTEM\Yan1K.exe
Unless you know what it's for. I couldn't find anything conclusive about it. If you don't know it, I would appreciate a copy to the mail-address in my profile
O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe


Reboot after doing so, preferably into safe mode and delete:
C:\Program Files\Media\Media <= entire folder
C:\PROGRAM FILES\IWON <= entire folder
http://www.doxdesk.com/parasite/Aornum.html

Other things I advised to remove:
http://www.searchandclick.com/privacy.php
http://www.doxdesk.com/parasite/Transponder.html
http://www.statblaster.com/

Quite honestly I'm puzzled by this entry:
O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
IEDriver is a startupname used by Cydoor, but this one is pointing to the correct location of Iexplore.exe
Mail me a copy of that one too please. It could have been tampered with.

Regards,

Pieter

 

Thanx, Pieter, for the speedy & detailed reply!

I am one of those most dangerous of creatures… the semi-computer-literate user. As a result, I have a little bit of an idea what you’re suggesting I do here… but have a few questions I’d like to ask before I dig in and root out this problem I have. If you don’t mind me taking a bit more of your time…?

1. is there any suggestion as to where this problem came from? I’m pretty certain that SB wasn’t the culprit, but now I’m curious what caused it. I see that you’re recommending that I remove several iWon files / folders… does this mean that the iWon PopUp Swatter (part of their Copilot taskbar) was the program that opened the door? I use iWon as my homepage, and never had any previous problems w/ it prior to the PUS install, and I’d like to let ‘em know if that’s where the problem originated.

2. are my woes caused by a “browser hijacker”?

3. you suggest changing the IP address for several of the items on the HijackThis listing… what would be the advantage to that?

4. you asked that I mail you a copy of a couple of the items… I’m happy to comply, but not entirely sure what you’re looking for. Do you just want me to copy the files indicated to an email?

5. are the hyperlinks in your answer sites I should visit prior to performing the fixes you suggest? Or do they just appear as links because of a feature of this forum’s software?

Once again, thanks for setting my mind to ease (and satisfying my curiosity)… it’s gonna be nice to have control of my puter again!

 

Hi bemused,

1. I hate to be the bearer of bad news, but iWon is considered spyware.

2. Yes, you were hijacked by the Booked space/Remanent variant of Transponder

3. Changing the IP address to 127.0.0.1 (your own computer) would prevent you from ever reaching those pages again: http://www.accs-net.com/hosts/how_to_use_hosts.html

4. Yes. Please attach copies of the requested files to an email.

5. The last four links, starting with the one in italics were posted to explain why I suggested you take the advised actions. No need to visit them, I just imagined you might be curious about the why.

This entry: O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U is undoubtedly the one responsible for IE opening a useless window, but I am as puzzled as you are as to how it got there

Regards,

Pieter

 

Hiya, Pieter-

You're a star... now that you've answered my questions, I'm happy to delve in and take care of this little problem of mine. And I am curious about some of the "why"s and "wherefore"s of this, so I'll see what those links you provided lead me to.

I'll probably take care of this tonight, when I get home from work-- and mail you those files-- so I'll let you know then how this works out. And... I guess that I'll be looking for a new homepage... even though I still haven't won the $10,000 that iWon gives away every day...

Again, many thanx!

 

Glad to help, bemused.
I think the only steady winner at iWon is the management.

Regards,

Pieter