Please Help: AllAbout SpyWare (HiJack This log attached)

Discussion in 'adware, spyware & hijack cleaning' started by mcsefab, May 10, 2004.

Thread Status:
Not open for further replies.
  1. mcsefab

    mcsefab Registered Member

    Joined:
    May 10, 2004
    Posts:
    1
    I have read most of the threads on this board about this known issue. I appreciate your help in identifying what needs to be deleted.

    Thanks,

    Mark




    Logfile of HijackThis v1.97.7
    Scan saved at 8:32:14 AM, on 5/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\svchost.exe
    C:\Program Files\NavNT\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\ORL\VNC\WinVNC.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\RightFax\FaxCtrl.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\PROGRA~1\Save\Save.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\system32\MMTray.exe
    C:\WINNT\system32\MMTray2k.exe
    C:\WINNT\system32\MMTrayLSI.exe
    C:\WINNT\System32\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\wjview.exe
    C:\Program Files\DownloadWare\dw.exe
    C:\PROGRA~1\SENDDA~1\Amen cake.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\PROGRA~1\WEATHE~1\Weather.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\MSN Messenger\msmsgs.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\smclary\Application Data\Map Maker\MMManager.exe
    C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://corp.bayalarm.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\SMCLARY\Application Data\Mozilla\Profiles\default\mvxowe5z.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\SMCLARY\Application Data\Mozilla\Profiles\default\mvxowe5z.slt\prefs.js)
    O1 - Hosts: ˜Kº˜Kº˜8º˜8º˜º˜º*º*ºÐ̺Ð̺°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº ˆººº˜º˜º*º*º¨º¨º°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº
    O1 - Hosts: º˜º˜º*º*º¨º¨º°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº
    O1 - Hosts: KzKzzz˜z˜z*z*zà»zà»z°z°z˜åz˜åzÀzÀzèÞz¸ýzààz°6¢ØzØzàzàzèzèzðzðzøzøz ˆzzz˜z˜z*z*z¨z¨z°z°z¸z¸zÀzÀzÈzÈzÐzÐzØzØzàzàzèzèzðzðzøzøz
    O1 - Hosts: z˜z˜z*z*z¨z¨z°z°zÈL¢ÈL¢ÀzÀzÈzÈzÐzÐzØzØzàzàzèzèzðzðzøzøz
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\Updates\XupiterToolbar.dll
    O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINNT\2020SE~1.DLL
    O3 - Toolbar: two acid - {851B59AF-BE6A-5E6B-C53C-82A39919225B} - C:\PROGRA~1\WAITIN~1\Pure Fork.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\FaxCtrl.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup.exe
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
    O4 - HKLM\..\Run: [MMTray] MMTray.exe
    O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
    O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [Move Blue] C:\PROGRA~1\SENDDA~1\Amen cake.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo -aim
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\MSN Messenger\msmsgs.exe" /background
    O4 - Startup: SunClock5.lnk = C:\Documents and Settings\smclary\Application Data\Map Maker\MMManager.exe
    O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &RSDN Search - res://C:\WINNT\2020SE~1.DLL/GoRSDN.dll.htm
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=http://corp.bayalarm.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29d9c97aff3b48045702/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37860.640787037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://a1964.g.akamai.net/f/1964/2730/4h/www.whenu.com/SNDriveBy.cab
    O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bayalarm.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bayalarm.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bayalarm.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mcsefab,

    Go to Add/Remove Software and see if you can remove WhenUSave aka SaveNow aka Save! there, either way continue with the following.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

    O1 - Hosts: ˜Kº˜Kº˜8º˜8º˜º˜º*º*ºÐ̺Ð̺°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº ˆººº˜º˜º*º*º¨º¨º°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº
    O1 - Hosts: º˜º˜º*º*º¨º¨º°º°º¸º¸ºÀºÀºÈºÈºÐºÐºØºØºàºàºèºèºðºðºøºøº
    O1 - Hosts: KzKzzz˜z˜z*z*zà»zà»z°z°z˜åz˜åzÀzÀzèÞz¸ýzààz°6¢ØzØzàzàzèzèzðzðzøzøz ˆzzz˜z˜z*z*z¨z¨z°z°z¸z¸zÀzÀzÈzÈzÐzÐzØzØzàzàzèzèzðzðzøzøz
    O1 - Hosts: z˜z˜z*z*z¨z¨z°z°zÈL¢ÈL¢ÀzÀzÈzÈzÐzÐzØzØzàzàzèzèzðzðzøzøz
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\Updates\XupiterToolbar.dll
    O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINNT\2020SE~1.DLL
    O3 - Toolbar: two acid - {851B59AF-BE6A-5E6B-C53C-82A39919225B} - C:\PROGRA~1\WAITIN~1\Pure Fork.dll

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe

    O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup.exe
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe

    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [Move Blue] C:\PROGRA~1\SENDDA~1\Amen cake.exe

    O8 - Extra context menu item: &RSDN Search - res://C:\WINNT\2020SE~1.DLL/GoRSDN.dll.htm
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FIX19105/flash.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29d9c97aff3b48045702/netzip/RdxIE601.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://a1964.g.akamai.net/f/1964/2730/4h/www.whenu.com/SNDriveBy.cab
    O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Then reboot into safe mode and delete:
    C:\Program Files\Xupiter <= entire folder
    c:\Program Files\Instant Access <= entire folder
    C:\Program Files\Srng <= entire folder
    C:\WINNT\Belt.exe
    C:\Program Files\WebSavingsfromEbates <= entire folder
    C:\Program Files\SwimSuitNetwork <= entire folder
    C:\Program Files\DownloadWare <= entire folder
    C:\Program Files\SENDDA~1 <= entire folder that holds Amen cake.exe

    Then do another scan with AdAware as described here: https://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.