offer optimizer - powerscan, ist etc. (merged)

Discussion in 'adware, spyware & hijack cleaning' started by jpm400, May 22, 2004.

Thread Status:
Not open for further replies.
  1. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    offer optimizer

    I recently had my windows 2000 Ie6 machine highjacked. Adaware has apparently removed all but one intrusion,(offer optimizer/ xlime). I now find slimy popup Aol ads etc. and high cpu usage while on the net.Here again the line between good business practice(advertising) and loathsome deception is blurred.There is also a real tinge of decaying privacy and freedom in this matter that seems somehow indicative of the tenor of the times, but I digress.
    Any help is appreciated!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:08:22 AM, on 5/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NVATray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/_files/wfica.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2709203fe8ce1a042418/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.2917939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Re: offer optimizer

    Hi jpm400,

    Have only HijackThis running and fix :

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2709203...ip/RdxIE601.cab

    Restart PC after doing so and remove :

    C:\WINNT\alchem.exe <- this file

    Clean temp internet files

    Hope this helps

    Cheers,
     
  3. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Re: offer optimizer

    Unzy
    Followed your instructions and the popups seem to be gone.

    Good job,great site. Thanks
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Re: offer optimizer

    Ah that's good to hear :)

    Glad we were able to help and good job cleaning up

    Take care

    Cheers,
     
  5. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    powerscan ,ist etc.

    Hello,
    After clearing offer optimizer,powerscan,xxx toolbar,and homepage hijacker last weekend, they have all returned. I have attempted some research into a fix with no end in sight.Any help is appreciated.Logfile of HijackThis v1.97.7
    Scan saved at 7:34:15 PM, on 5/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NVATray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
    C:\WINNT\system32\kfclwc.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\ClockSync\Sync.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis527\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [rmeswwyijemwp] C:\WINNT\system32\kfclwc.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/_files/wfica.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.2917939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jpm400,

    Since your last posted hjt log is related to your previous problems (with same infection returning) I have merged the 2 threads together so those helping you will see what has already been fixed to-date.

    Regards,

    snap
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: powerscan ,ist etc.

    Hi jpm400,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"

    O4 - HKLM\..\Run: [rmeswwyijemwp] C:\WINNT\system32\kfclwc.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe

    Then reboot into safe mode and delete:
    C:\Program Files\ISTsvc <= entire folder
    C:\WINNT\alchem.exe
    C:\Program Files\ClockSync <= entire folder

    Regards,

    Pieter
     
  8. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello
    I followed instructions but I still find problems.
    I ran adaware a series of times, rebooting between each. I ran it twice each time, the second pass finding nothing.
    I then ran spybot which found dsoexploit and vx2/f . It did not clear dso exploit after several trys.
    I also see kfclwc.exe always running in task manager.
    I have been troubled by ISTbar.slotch, powerscan, dyfuca,internetoptimizer, xlime,dso exploit,whenuclock etc.
    I foolishly installed an uninstall program(exe.) offered by powerscan to rid me of its embarassment.Now I have a host of returning #$%^



    First pass
    Ad-aware 6 Scanning Result, 5-27-2004 6:43:14 PM
    Created with Ad-aware Personal, free for private use.
    VendorTypeCategoryObjectComment
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    StopPopRegKeyData
    MinerHKEY_CLASSES_ROOT:Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\
    VX2.BetterInternetRegKeyData MinerHKEY_LOCAL_MACHINE:SOFTWARE\twaintec\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TwaintecDll.TwaintecDllObj.1\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\
    VX2.BetterInternetRegKeyData MinerHKEY_CLASSES_ROOT:vx2.vx2obj\
    VX2.BetterInternetRegKeyData
    MinerHKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\dummy.htm
    VX2.BetterInternetFileData Minerc:\winnt\twaintec.dll

    Second time
    Ad-aware 6 Scanning Result, 5-27-2004 7:14:23 PM
    Created with Ad-aware Personal, free for private use.
    VendorTypeCategoryObjectComment
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    StopPopRegKeyData
    MinerHKEY_CLASSES_ROOT:Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\
    VX2.BetterInternetRegKeyData MinerHKEY_LOCAL_MACHINE:SOFTWARE\twaintec\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TwaintecDll.TwaintecDllObj.1\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\
    VX2.BetterInternetRegKeyData MinerHKEY_CLASSES_ROOT:vx2.vx2obj\
    VX2.BetterInternetRegKeyData
    MinerHKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\dummy.htm
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\twaintec.ini
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\twtini.cab
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\twtini.inf
    VX2.BetterInternetFileData Minerc:\winnt\inf\twtini.inf
    VX2.BetterInternetFileData Minerc:\winnt\twaintec.dll
    VX2.BetterInternetFileData Minerc:\winnt\twaintec.ini

    Third time

    Ad-aware 6 Scanning Result, 5-27-2004 8:21:37 PM
    Created with Ad-aware Personal, free for private use.
    VendorTypeCategoryObjectComment
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    StopPopRegKeyData
    MinerHKEY_CLASSES_ROOT:Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\
    VX2.BetterInternetRegKeyData MinerHKEY_LOCAL_MACHINE:SOFTWARE\twaintec\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TwaintecDll.TwaintecDllObj.1\
    VX2.BetterInternetRegKeyData
    MinerHKEY_CLASSES_ROOT:TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\
    VX2.BetterInternetRegKeyData MinerHKEY_CLASSES_ROOT:vx2.vx2obj\
    VX2.BetterInternetRegKeyData
    MinerHKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}\
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\dummy.htm
    VX2.BetterInternetFileData Minerc:\winnt\twaintec.dll


    Fourth time
    ad-aware 6 Scanning Result, 5-27-2004 8:48:55 PM
    Created with Ad-aware Personal, free for private use.
    VendorTypeCategoryObjectComment
    VX2.BetterInternetRegKeyData MinerHKEY_LOCAL_MACHINE:SOFTWARE\twaintec\
    VX2.BetterInternetFileData
    Minerc:\docume~1\admini~1\locals~1\temp\dummy.htm
    VX2.BetterInternetFileData Minerc:\winnt\twaintec.dll

    Lastly I ran a highjack log.
    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:01 PM, on 5/27/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NVATray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\kfclwc.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\unzipped\hijackb\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [gxavqkrelas] C:\WINNT\system32\kfclwc.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/_files/wfica.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.2917939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks for the help!
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jpm400,

    Kill this process in TaskManager: C:\WINNT\system32\kfclwc.exe
    and delete the file.

    Then have HijackThis fix:
    O4 - HKLM\..\Run: [gxavqkrelas] C:\WINNT\system32\kfclwc.exe
    or any other line trying to start that file.

    Then reboot do another scan and post a new log.

    Regards,

    Pieter
     
  10. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello,

    Thanks as always for replying.I have deleted kfclwc.exe and followed up as instructed.All went well, here is my new log.
    Logfile of HijackThis v1.97.7
    Scan saved at 5:33:59 PM, on 5/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NVATray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\WINNT\system32\rundll32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackb\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.verizon.net/vzn.isp/welcome.htm?ver=12191&
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\2\E_SRCV03.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/_files/wfica.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.2917939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jpm400,

    You managed to find another new one, but at least we got rid of the stubborn one.

    Check the following item in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

    Please read How did this happen and can I prevent it?

    Regards,

    Pieter
     
  12. jpm400

    jpm400 Registered Member

    Joined:
    May 21, 2004
    Posts:
    6
    Hello,
    Well the BHOnoname/twaintecdll file has gone away or is well hid at this time. I ran adaware again and found a single vx2/f file,and let adaware fix it again. Over the next 24 hours I did several shutdowns, resets,poweroffs etc. and there has been no sign of any unsolicited programming.There is a marked improvement in web performance(speed) and things are looking real good.
    My Thanks to all who have involved themselves and me in cleaning this up since as a newcomer to the field I have enjoyed learning a little about things also. Good luck Jim M.
     
Thread Status:
Not open for further replies.