spyware reloaded on reboot

Discussion in 'adware, spyware & hijack cleaning' started by Denise8116, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Denise8116

    Denise8116 Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    3
    on reboot i ran Ad-aware and Hijackthis

    History:

    problems you are experiencing with my system:
    I delete spyware and when I reboot it all loads back on my system. showering me with unwanted popups and hijacking my google browser.

    the programs which keep reinstall them self are:
    cleverIEhooker
    clientman
    delfin media viewer
    keen valeu
    total valocity z search
    twain-tech
    people on page
    envolo

    I have used mcafee, ad-aware, spybot S&d, and xcleener to try and remove these above problems with no success. One form of the program or another reloads on start up. I started this process with dealhelper being the main problem.

    because of running into these problems I have installed microsoft updates and change the java program. I also have created a system restor point befor running hijackthis.

    Below you will find the hijackthis log:
    Logfile of HijackThis v1.97.7
    Scan saved at 2:45:13 PM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\documents and settings\owner\local settings\temp\g.exe
    C:\WINNT\System32\mfxyutif.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINNT\system32\pcs\pcsvc.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\System32\crerdsvr.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINNT\System32\Naw3AzI.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\VchsZJo.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Owner\My Documents\download\spyware remover software\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [g] C:\documents and settings\owner\local settings\temp\g.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINNT\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Anh4V.exe
    O4 - HKLM\..\Run: [kjqeuieh] C:\WINNT\System32\mfxyutif.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [rFmi3qi] crerdsvr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
    O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38139.5741782407
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4360/mcfscan.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab

    Please help
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Denise8116,

    I have the feeling you were unable to update AdAware. can you tell us at what Reffile it is?

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

    O4 - HKLM\..\Run: [g] C:\documents and settings\owner\local settings\temp\g.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINNT\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Anh4V.exe
    O4 - HKLM\..\Run: [kjqeuieh] C:\WINNT\System32\mfxyutif.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O4 - HKLM\..\Run: [rFmi3qi] crerdsvr.exe
    O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
    O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Then reboot into safe mode
    and delete:
    C:\Program Files\TV Media <= entire folder
    C:\WINNT\System32\IEHost.exe
    C:\WINNT\System32\mfxyutif.exe
    C:\Program Files\AutoUpdate <= entire folder
    C:\WINNT\system32\pcs <= entire folder
    C:\Program Files\Common Files\Dpi <= entire folder
    C:\Program Files\zSearch <= entire folder

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folder.

    Regards,

    Pieter
     
  3. Denise8116

    Denise8116 Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    3
    you asked about ad-aware 6 This is the referance information
    Reference file loaded:
    Reference Number : 0R150 05.07.2003
    Internal build : 683
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 417692 Bytes
    Signature data size : 409063 Bytes
    Reference data size : 8565 Bytes
    Signatures total : 9637
    Target categories : 8
    Target families : 197

    i hope this is what you were refering to.

    But adware was not the only program i tryed. It was just the last one I tryed after reboot per your sites instructions and I had tried to upate it before running it.

    I will go ahead and try your sugestions and see if it will take care of the problem. I will let you know how I do thanks.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Denise8116,

    This is what my AdAware says:
    Reference file loaded:
    Reference Number : 01R314 02.06.2004
    Internal build : 246
    File location : H:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 1201492 Bytes
    Signature data size : 1181377 Bytes
    Reference data size : 20051 Bytes
    Signatures total : 26331
    Target categories : 10
    Target families : 491

    I think you are using an outdated build.
    In the bottom tight corner of the main screen see if it reads
    Build 6.181

    If not,download Ad-aware from here: http://www.lavasoftusa.com/software/adaware

    Regards,

    Pieter
     
  5. Denise8116

    Denise8116 Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    3
    First I want to thank you the system seams to be running a lot better.

    I got the newer version of ad-aware as you had suggested and re-ran that.

    Then I followed your hijack this selection and clicked fix. Because I re-ran ad-aware some of the items were not there any more. Below you will find the files I could find to check and delete after rebooting in safety mode:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [g] C:\documents and settings\owner\local settings\temp\g.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Then re-boot into safe mode
    and delete:

    C:\WINNT\system32\pcs <= entire folder

    I re-booted and re-ran ad-aware and got nothing then I re ran hijack this. I was hoping you might be able to take another quick look and see if I missed anything.

    Thanks for all your help!!!!!!!!!!!!!!!!!!!!!


    Logfile of HijackThis v1.97.7
    Scan saved at 6:38:02 PM, on 6/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\Documents and Settings\Owner\My Documents\download\spyware remover software\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38139.5741782407
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4360/mcfscan.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Denise8116,

    One that AdAware doesn't know yet.

    Reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder

    Check the item listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.