Problem with: Detected SPYware! System error #384

Discussion in 'adware, spyware & hijack cleaning' started by A.Mc., Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. A.Mc.

    A.Mc. Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    2
    Similar to a previous post, I am having a problem with the blue (Detected SPYware! System error #384) page coming up whenever I try to visit a common website. I tried following the recommended steps posted for the previous post (including running CWShredder) but was unsuccessful in removing everything apparently. I would really appreciate any help in resolving this troublesome issue. Here is the contents of my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:27:07 PM, on 7/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\inetdata\services.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\system32\llass.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\documents and settings\andy mcbride\local settings\temp\7dvfP5htq.exe
    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\system32\explorer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Creative\NOMAD Jukebox Zen\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\System32\unyhvjq.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\WINDOWS\System32\Vza7UQXb.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\Xszw.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\SlimBrowser\sbrowser.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\AIM95\aim.exe
    C:\Anti-Spyware Utilities\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r1.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r1.attbi.com
    F1 - win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
    O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe
    O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [7dvfP5htq.exe] C:\documents and settings\andy mcbride\local settings\temp\7dvfP5htq.exe
    O4 - HKLM\..\Run: [2ZBMZFC5T@B7TD] C:\WINDOWS\System32\NzuYifH.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [x3mf3mW] eqnre.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
    O4 - HKLM\..\Run: [uzkcqwuuoh] C:\WINDOWS\System32\hycxhuu.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [Hndhp] C:\WINDOWS\System32\unyhvjq.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://xpehbam.biz/a/load.exe
    O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - http://www.xpehbam.biz/exploit.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/download/kdx.cab

    Thank You!
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi A.Mc.

    wow - you have quite a collection of nasties :(

    Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.

    Check the following items in HIjackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

    any idea about inetdata\services?? Also see below!
    F1 - win.ini: run=C:\WINDOWS\inetdata\services.exe

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

    O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe
    O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [7dvfP5htq.exe] C:\documents and settings\andy mcbride\local settings\temp\7dvfP5htq.exe
    O4 - HKLM\..\Run: [2ZBMZFC5T@B7TD] C:\WINDOWS\System32\NzuYifH.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [x3mf3mW] eqnre.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
    O4 - HKLM\..\Run: [uzkcqwuuoh] C:\WINDOWS\System32\hycxhuu.exe

    Any idea what this is?
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    If UNKNOWN - pls. check !

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe

    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

    O4 - HKCU\..\Run: [Hndhp] C:\WINDOWS\System32\unyhvjq.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

    O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://xpehbam.biz/a/load.exe

    O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - http://www.xpehbam.biz/exploit.exe

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/download/kdx.cab

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Open Task Manager, click Processes tab. End the following processes:
    WToolsA.exe

    Delete the following files\folders IF still present:


    C:\documents and settings\andy mcbride\local settings\temp\7dvfP5htq.exe
    C:\WINDOWS\System32\NzuYifH.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\Program Files\AutoUpdate <-----entire folder
    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\WINDOWS\System32\hycxhuu.exe
    C:\WINDOWS\inetdata\services.exe ,------ see above!
    C:\Program Files\Common files\WinTools<--------entire folder
    C:\WINDOWS\system32\llass.exe
    C:\WINDOWS\System32\unyhvjq.exe

    Then reboot and use AdAware as described :
    HERE

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.

    To remove Wintools,

    1. Go to safe mode
    2. Kill running entries by ctrl, alt and del for Wintools.
    3. Uninstall Wintools from Add/Remove. it will prompt for reboot. do that and reboot.
    4. Run HijackThis and fix the Wintools entries and delete the folder if present.

    Pls go to Windows Update and get ALL critical updates !
     
  3. A.Mc.

    A.Mc. Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    2
    Thanks! I know I have a lot of junk on there :( and am anxious to get it cleaned off...I am just inexperienced in the ways of spyware, malware and all of that other nastiness. I'll implement your instructions and post another log. Thanks again!!
     
Thread Status:
Not open for further replies.