new here, new problem

Discussion in 'SpywareBlaster & Other Forum' started by bemused, Aug 31, 2003.

Thread Status:
Not open for further replies.
  1. bemused

    bemused Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    3
    Location:
    Salem, MA
    Hiya... found this forum as the result of a problem that's developed on my puter since installing SpywareBlaster 2.6 & SpywareGuard 2.2. I've looked thru several dozen of the threads here, and didn't find a problem similar to mine, so thought I'd hit you with it.

    First: I'm not entirely convinced that SB or SG is the culprit; I also installed Ad-Aware 6.0 in iWon's PopUp Swatter during the same session...

    Here's what's been happening, hope you can help me sort it out--

    Whenever I boot up, a browser window automatically opens w/ a URL of http:///U. Not surprisingly, it doesn't come up w/ a page...

    In addition, I get massive numbers of pop-ups... EVEN IF I DON'T HAVE MY BROWSER OPEN (I have a constant-on DSL connection)... something that never happened before.

    Also, my taskbar frequently doesn't appear (I use the "auto-hide" feature), or-- if it does show up-- is very slow to react when I mouse over it.

    I am running Win98SE, IE6.0 as my browser.

    Once this problem appeared, I ran Spybot S&D, Ad-Aware, and ensured that all the choices in SB were selected. No change. Then, I uninstalled all of the above (as well as the iWon PopUp Swatter)... to no avail. Reinstalled all of them, one at a time, removed the spyware / adware that was indicated... ditto.

    After finding this site (which is great, btw), and reading thru some of the posts, I downloaded and ran the CWShredder (not present, it seems), and Hijack This. If it helps, here's the log from the latter:

    Logfile of HijackThis v1.96.4
    Scan saved at 10:10:54 PM, on 8/31/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
    C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\TWEAKMASTER\TWMASTER.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\E_S0HIC1.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\BUNL.EXE
    C:\WINDOWS\SYSTEM\ITU0X69I.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWI~1.EXE
    C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 98\QSHELF98.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\FREECELL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 66.135.208.87 pages.ebay.com
    O1 - Hosts: 207.44.152.117 www.mtv411.com
    O1 - Hosts: 207.171.181.16 www.amazon.com
    O1 - Hosts: 66.135.194.135 search.ebay.com
    O1 - Hosts: 64.95.118.42 www.epinions.com
    O1 - Hosts: 216.73.86.90 ad.doubleclick.net
    O1 - Hosts: 64.105.205.186 www.consudem.com
    O1 - Hosts: 213.26.57.113 www.motorcycle-motonline.com
    O1 - Hosts: 212.239.37.75 www.motonline.com
    O1 - Hosts: 212.239.37.69 ads.motonline.com
    O1 - Hosts: 64.77.21.152 www.sportbikereview.com
    O1 - Hosts: 193.10.250.156 www.solace.mh.se
    O1 - Hosts: 65.125.171.200 www.mcnews.com
    O1 - Hosts: 64.70.10.86 img.mediaplex.com
    O1 - Hosts: 66.96.195.99 www.aboutstreetbikes.com
    O1 - Hosts: 209.234.66.40 www.sportbikes.dhs.org
    O1 - Hosts: 208.179.57.123 www.motorcycle.com
    O1 - Hosts: 64.49.254.211 www.esportbike.com
    O1 - Hosts: 12.8.126.136 www.2wf.com
    O1 - Hosts: 66.70.189.18 www.rrzone.com
    O1 - Hosts: 216.156.210.71 www.airtech-streamlining.com
    O1 - Hosts: 212.159.8.1 www.bmdesigns.co.uk
    O1 - Hosts: 206.105.10.254 www.atvsandmotorcycles.com
    O1 - Hosts: 65.213.230.38 adcache.cycletrader.com
    O1 - Hosts: 65.213.230.82 www.cycletrader.com
    O1 - Hosts: 65.214.39.7 www.ask.com
    O1 - Hosts: 65.214.39.242 web.ask.com
    O1 - Hosts: 204.117.194.46 www.motorcycleshopper.com
    O1 - Hosts: 66.135.192.148 cgi.ebay.com
    O1 - Hosts: 212.187.153.20 www.guardian.co.uk
    O1 - Hosts: 212.187.153.203 ads.guardian.co.uk
    O1 - Hosts: 208.45.172.46 cf.local6.com
    O1 - Hosts: 66.221.150.220 www.sport-touring.net
    O1 - Hosts: 205.214.94.117 www.nestreetriders.com
    O1 - Hosts: 207.46.182.140 www.expedia.com
    O1 - Hosts: 66.77.74.20 www.alltheweb.com
    O1 - Hosts: 66.77.74.32 click.alltheweb.com
    O1 - Hosts: 64.55.29.163 www.massport.com
    O1 - Hosts: 129.33.119.130 www.tsa.gov
    O1 - Hosts: 216.239.53.99 www.google.com
    O1 - Hosts: 151.193.204.72 www.usairways.com
    O1 - Hosts: 151.193.163.8 www.virtuallythere.com
    O1 - Hosts: 208.45.133.106 sports.iwon.com
    O1 - Hosts: 216.39.69.70 view.atdmt.com
    O1 - Hosts: 208.45.133.136 my.iwon.com
    O1 - Hosts: 168.143.179.114 images.x10.com
    O1 - Hosts: 217.160.31.195 security.kolla.de
    O1 - Hosts: 194.30.32.194 www.pandasoftware.com
    O1 - Hosts: 216.12.211.221 shinobiresources.com
    O1 - Hosts: 65.54.249.126 v4.windowsupdate.microsoft.com
    O1 - Hosts: 205.180.85.71 media31.fastclick.net
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TWEAKBHO.DLL
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {A17C83C0-D32D-11D7-AB3B-00045A6AFCA6} - (no file)
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\2.BIN\IWONBAR.DLL
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] systray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\EasyKey.exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRAM FILES\TWEAKMASTER\TWMASTER.EXE" /auto
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [52B3ET3393RCNC] C:\WINDOWS\SYSTEM\Yan1K.exe
    O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SIDEWI~1.EXE
    O4 - Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37737.2940972222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe
    O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab

    Any help / suggestions / voodoo would be greatly appreciated...
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi bemused,

    Welcome at Wilders. :)

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 216.73.86.90 ad.doubleclick.net
    O1 - Hosts: 208.45.133.106 sports.iwon.com
    O1 - Hosts: 208.45.133.136 my.iwon.com
    O1 - Hosts: 205.180.85.71 media31.fastclick.net
    You could also consider changing the IP addresses for the O1 items above to 127.0.0.1 in your hosts file
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
    O3 - Toolbar: (no name) - {A17C83C0-D32D-11D7-AB3B-00045A6AFCA6} - (no file)
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\2.BIN\IWONBAR.DLL
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [52B3ET3393RCNC] C:\WINDOWS\SYSTEM\Yan1K.exe
    Unless you know what it's for. I couldn't find anything conclusive about it. If you don't know it, I would appreciate a copy to the mail-address in my profile
    O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
    O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe


    Reboot after doing so, preferably into safe mode and delete:
    C:\Program Files\Media\Media <= entire folder
    C:\PROGRAM FILES\IWON <= entire folder
    http://www.doxdesk.com/parasite/Aornum.html

    Other things I advised to remove:
    http://www.searchandclick.com/privacy.php
    http://www.doxdesk.com/parasite/Transponder.html
    http://www.statblaster.com/

    Quite honestly I'm puzzled by this entry:
    O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U
    IEDriver is a startupname used by Cydoor, but this one is pointing to the correct location of Iexplore.exe o_O
    Mail me a copy of that one too please. It could have been tampered with.

    Regards,

    Pieter
     
  3. bemused

    bemused Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    3
    Location:
    Salem, MA
    Thanx, Pieter, for the speedy & detailed reply!

    I am one of those most dangerous of creatures… the semi-computer-literate user. As a result, I have a little bit of an idea what you’re suggesting I do here… but have a few questions I’d like to ask before I dig in and root out this problem I have. If you don’t mind me taking a bit more of your time…?

    1. is there any suggestion as to where this problem came from? I’m pretty certain that SB wasn’t the culprit, but now I’m curious what caused it. I see that you’re recommending that I remove several iWon files / folders… does this mean that the iWon PopUp Swatter (part of their Copilot taskbar) was the program that opened the door? I use iWon as my homepage, and never had any previous problems w/ it prior to the PUS install, and I’d like to let ‘em know if that’s where the problem originated.

    2. are my woes caused by a “browser hijacker”?

    3. you suggest changing the IP address for several of the items on the HijackThis listing… what would be the advantage to that?

    4. you asked that I mail you a copy of a couple of the items… I’m happy to comply, but not entirely sure what you’re looking for. Do you just want me to copy the files indicated to an email?

    5. are the hyperlinks in your answer sites I should visit prior to performing the fixes you suggest? Or do they just appear as links because of a feature of this forum’s software?

    Once again, thanks for setting my mind to ease (and satisfying my curiosity)… it’s gonna be nice to have control of my puter again!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi bemused,

    1. I hate to be the bearer of bad news, but iWon is considered spyware.

    2. Yes, you were hijacked by the Booked space/Remanent variant of Transponder

    3. Changing the IP address to 127.0.0.1 (your own computer) would prevent you from ever reaching those pages again: http://www.accs-net.com/hosts/how_to_use_hosts.html

    4. Yes. Please attach copies of the requested files to an email.

    5. The last four links, starting with the one in italics were posted to explain why I suggested you take the advised actions. No need to visit them, I just imagined you might be curious about the why.

    This entry: O4 - HKLM\..\Run: [IEDriver] C:\Program Files\Internet Explorer\IEXPLORE.EXE /U is undoubtedly the one responsible for IE opening a useless window, but I am as puzzled as you are as to how it got there

    Regards,

    Pieter
     
  5. bemused

    bemused Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    3
    Location:
    Salem, MA
    Hiya, Pieter-

    You're a star... now that you've answered my questions, I'm happy to delve in and take care of this little problem of mine. And I am curious about some of the "why"s and "wherefore"s of this, so I'll see what those links you provided lead me to.

    I'll probably take care of this tonight, when I get home from work-- and mail you those files-- so I'll let you know then how this works out. And... I guess that I'll be looking for a new homepage... even though I still haven't won the $10,000 that iWon gives away every day... ;)

    Again, many thanx! :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Glad to help, bemused.
    I think the only steady winner at iWon is the management. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.