SpyWare/AdWare Problem

Discussion in 'adware, spyware & hijack cleaning' started by Celiciuser, Dec 12, 2003.

Thread Status:
Not open for further replies.
  1. Celiciuser

    Celiciuser Registered Member

    Joined:
    Nov 5, 2003
    Posts:
    3
    Recently, a link has been appearing in my AIM profile. I delete it and it reappears everytime I log on. The link brings one to a page where one is forced to download a virus, unless they exit the entire browser application. The log of the computer is:


    Logfile of HijackThis v1.97.7
    Scan saved at 11:30:28 PM, on 12/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
    C:\WINDOWS\av.exe
    C:\WINDOWS\mlrtqwzy.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Documents and Settings\ChelseaF\Application Data\DownloadPlus.exe
    C:\WINDOWS\system32\ntvdm.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\ChelseaF\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Celiciuser,

    That is the shortest log I have ever seen. I can see two spyware-applications running, so my guess would be you put too much on the ignore list or you are only giving us part of the information.
    I would like to make you aware of the fact that this could result in a partial solution.

    Have HijackThis Fix:
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe

    Reboot, preferably into safe mode and delete C:\WINDOWS\av.exe

    Regards,

    Pieter
     
  3. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    I am concerned about this:

    C:\WINDOWS\mlrtqwzy.exe

    What is this?

    First - it is in C:/Windows - and I had there some scumware installed before...

    Second - the name - it is only a bunch of letters, I think that "good" programs will have a "normal" name,a name where will be clear what is the file about... not this bunch of letters...

    I think that such a weird name will have preferreably a "bad" file, where the author thinks: "I will name it mlrtqwzy.exe, because the user of the computer will not have a clue what it is and will not dare to delete it, cos he will be worried if it is not some necessary system file, and so the spyware or trojan will be left in peace here"... installing it in Windows file only supports my thoughts about that :)

    If it will be in my computer, I will check the date of creating and if it will be about the day when I started to have computer problems - probably found the source of probs...

    Maybe I am wrong, but I have a feeling, that C:\WINDOWS\mlrtqwzy.exe
    is some bastard good for nothing and worth deleting...

    What do you think, Pieter and other mods? ;)

    Edit: And Pieter is right about "the shortest log he has seen" - yes, definitely, the second part of the log - where the lines begin with numbered letter - should be longer... either clean the ignore list of HJT or past the whole log here... it is indeed possible, that it is actually the whole log, but it is weird... as Pieter said, if the log is not complete, it may lead in only partial solution...
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    You are absolutely right Zidane.

    And these are the other spywares I saw:
    http://www.doxdesk.com/parasite/DownloadPlus.html
    http://www.doxdesk.com/parasite/CommonName.html

    Regards,

    Pieter
     
  5. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    CommonName? Aaaa, I know it is spyware too, I didnt see it :rolleyes: - DownloadPlus? I thought it was some "good" DL accelerator :rolleyes:
     
  6. Celiciuser

    Celiciuser Registered Member

    Joined:
    Nov 5, 2003
    Posts:
    3
    Ok. I went into safemode and deleted the av.exe file. However, my AIM profile is still filled with the link.
    Here is my log file:

    Logfile of HijackThis v1.97.3
    Scan saved at 4:28:09 PM, on 12/12/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\SIERRA\Planner\PLNRnote.exe
    C:\Program Files\Encompass\EncMontr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9885/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9885/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
    O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe
    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Yahoo! Monitor.lnk = C:\Program Files\Encompass\EncMontr.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37601.8519675926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    My opinions about the log

    In my opinion you should fix this:

    C:\WINDOWS\svchost.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9885/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9885/search/search.html
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm


    Weird things, I dont know what are they about, but I smell something fishy here...

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm - C:/Windows? Easy target for installing scumware...

    O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe - Virtuagirl Briana Banks? I think I hear the SPYWARE song here ;)

    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe - what is thiso_O

    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll - what is thiso_O

    Dont fix anything yet, wait for some moderator, the mods are more knowledgeable about this stuff, I am only a newbie who likes to study the logs and search for scumware in it, I can point something good or not point some real threat :) Wait for example for Pieter_Arntz or some other moderator :)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Celiciuser,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9885/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9885/search/redir.php?cid=shnv9885PCID=00000000000000740915&s=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9885/search/search.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

    O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe
    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe

    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

    Then reboot and delete:
    C:\Program Files\Grokster\My Grokster\Virtuagirl_brianabanks_full.exe <= Backdoor Delf BZ
    C: \Program Files\Srng <= entire folder, Shopnav hijacker
    C:\WINDOWS\av.exe <= if still present

    Regards,

    Pieter
     
  9. Zidane

    Zidane Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    63
    Location:
    Czech Republic, Europe, World, Space
    Hm, I see :) I found the scum in the log, but my lack of knowledge made me to point some things Pieter didnt point, maybe the things are good and I had just "big eyes" :D
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hijack This usually has trouble fixing this one. Re-run Hijack This after following up on all of Pieter's recommendations.
    If that line is still there, download LSPfix here: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    Reboot, and delete the c:\windows\system32\inetadpt.dll file itself.
     
  11. Celicusier

    Celicusier Guest

    I was able to get rid of the problem on my computer, however a friend now is dealing with the same thing, but the av.exe file does not seem to be on their computer.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:43:52 PM, on 12/14/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\PROGRAM FILES\XUPITER\XTCFGLOADER.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\N-CASE\MSBB.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\KWARPXWD.EXE
    C:\WINDOWS\HNQMIUYR.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\CALLWAVE\IAM.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xupiter.com/toolbar2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL
    O2 - BHO: (no name) - {FDEA8B3F-9576-477E-B6B6-9262D40A3235} - C:\WINDOWS\SYSTEM\MO030414S.DLL
    O2 - BHO: (no name) - {AAA74306-8943-4610-AABE-A88FAACE2F7B} - C:\WINDOWS\SYSTEM\GEQKWGG.DLL
    O2 - BHO: (no name) - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - (no file)
    O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
    O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - (no file)
    O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - (no file)
    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\XUPITER\XTUPDATE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
    O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE
    O4 - HKLM\..\Run: [OSV] C:\WINDOWS\OSV.exe
    O4 - HKLM\..\Run: [ltqqemlp] C:\WINDOWS\kwarpxwd.exe
    O4 - HKLM\..\Run: [xypdhuff] C:\WINDOWS\hnqmiuyr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0804a8ff6b9966323c00/netzip/RdxIE601.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CCBDD1DC-5FCF-43E5-6BAD-DA44CB0BA16A} (DownloadUL Class) - http://public.searchbarcash.com/cab/010/esfzpzex.cab
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Celicusier,

    Please have them close all programs/windows and select and fix the following;

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xupiter.com/toolbar2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL
    O2 - BHO: (no name) - {FDEA8B3F-9576-477E-B6B6-9262D40A3235} - C:\WINDOWS\SYSTEM\MO030414S.DLL
    O2 - BHO: (no name) - {AAA74306-8943-4610-AABE-A88FAACE2F7B} - C:\WINDOWS\SYSTEM\GEQKWGG.DLL
    O2 - BHO: (no name) - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - (no file)
    O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
    O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - (no file)
    O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - (no file)
    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\XUPITER\XTUPDATE.DLL
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL
    O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
    O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
    O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE
    O4 - HKLM\..\Run: [OSV] C:\WINDOWS\OSV.exe
    O4 - HKLM\..\Run: [ltqqemlp] C:\WINDOWS\kwarpxwd.exe
    O4 - HKLM\..\Run: [xypdhuff] C:\WINDOWS\hnqmiuyr.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0804a8ff6b9966323c00/netzip/RdxIE601.cab
    O16 - DPF: {CCBDD1DC-5FCF-43E5-6BAD-DA44CB0BA16A} (DownloadUL Class) - http://public.searchbarcash.com/cab/010/esfzpzex.cab

    After a reboot, please have them delete the following

    C:\PROGRAM FILES\XUPITER <-- entire folder
    C:\WINDOWS\SYSTEM\MO030414S.DLL
    C:\WINDOWS\SYSTEM\GEQKWGG.DLL
    C:\PROGRAM FILES\N-CASE <-- entire folder
    C:\WINDOWS\OSV.exe
    C:\WINDOWS\kwarpxwd.exe
    C:\WINDOWS\hnqmiuyr.exe

    Then please rescan and post a fresh log.
     
Thread Status:
Not open for further replies.