sandboxer.com

Discussion in 'adware, spyware & hijack cleaning' started by billfran, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. billfran

    billfran Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    1
    I am attempting to rid my system of sandboxer.com and all of the spyware/pests that come with it. I ran Spybot S&D and Hijack This. My problems are: constant popup adds, toolbars, clocks, search assistants constantly trying to install themselves. I also am constantly getting a popup that starts out saying sandboxer.com then changes quickly to "your pc is infected with spyware. Click here for a free scan of your system". Any help you can offer is appreciated. My Hijack This log is as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:03 PM, on 7/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB03.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\ZPFUJJ.EXE
    C:\WINDOWS\TEMP\NAICK.EXE
    C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\WINDOWS\SYSTEM\SBRROXY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
    C:\WINDOWS\SYSTEM\FPCX11NL.EXE
    C:\WINDOWS\SYSTEM\GSDQX6.EXE
    C:\WINDOWS\SYSTEM\OEJ40.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\W7K74ZIV\HIJACKTHIS[1].EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O1 - Hosts: 127.127.127.127 elite
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [whnqacp] C:\WINDOWS\SYSTEM\zpfujj.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [NAICK] C:\WINDOWS\TEMP\NAICK.EXE
    O4 - HKLM\..\Run: [lcp] C:\WINDOWS\lcp.exe
    O4 - HKLM\..\Run: [2N7NDTN44L@@AN] C:\WINDOWS\SYSTEM\FsdiJ.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPA313.TMP
    O4 - HKLM\..\Run: [r83R36X] RUNTIL.EXE
    O4 - HKLM\..\Run: [fpcx11nl] C:\WINDOWS\SYSTEM\fpcx11nl.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [azs5RWbmQ] SBRROXY.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi billfran,

    Before we start cleaning could you please zip up this folder:
    C:\PROGRAM FILES\COMMON FILES\MIDADDLE
    and mail it to me
    pieterATwilderssecurity.org (replace AT with @)

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O1 - Hosts: 127.127.127.127 elite
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

    O4 - HKLM\..\Run: [whnqacp] C:\WINDOWS\SYSTEM\zpfujj.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [NAICK] C:\WINDOWS\TEMP\NAICK.EXE
    O4 - HKLM\..\Run: [lcp] C:\WINDOWS\lcp.exe
    O4 - HKLM\..\Run: [2N7NDTN44L@@AN] C:\WINDOWS\SYSTEM\FsdiJ.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPA313.TMP
    O4 - HKLM\..\Run: [r83R36X] RUNTIL.EXE
    O4 - HKLM\..\Run: [fpcx11nl] C:\WINDOWS\SYSTEM\fpcx11nl.exe

    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [azs5RWbmQ] SBRROXY.EXE

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Reboot into safe mode and delete:
    C:\Program Files\WebRebates <= entire folder
    C:\Program Files\WHENUSEARCH <= entire folder
    C:\PROGRAM FILES\COMMON FILES\DPI <= entire folder
    c:\Program Files\AutoUpdate <= entire folder
    C:\Program Files\CLOCKSync <= entire folder
    C:\WINDOWS\SYSTEM\zpfujj.exe
    C:\WINDOWS\ALCHEM.exe
    c:\installer\id53.exe
    C:\Program Files\INCREDIFIND <= entire folder
    C:\PROGRAM FILES\LYCOS\IEAGENT <= entire folder

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.