WildTanget etc

Discussion in 'privacy problems' started by Mua-Kell, Jun 30, 2003.

Thread Status:
Not open for further replies.
  1. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    First of all,thank the powers that be there are cool people like Wilders.org that value thier privacy!I just mopped up my 1st encounter with LOP : :p really stinks!!!But I still have Wildtangent,NCase,and a condusive flexpack to go.Any suggestions?P.S.My sys was a virgin until a week ago whaen I installed my 1st modem,so even though I am mid-aged Im a neewbie,but willgain mass Karma soon!THANX
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Help!!!

    Hi Mua-Kell,

    Welcome at Wilders. :)

    Could you post your HijackThis log
    Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.
    I´ll try and help you get rid of the spies.
    You´ll get your first karma cookie from me, when you´re done with that. ;)

    Regards,

    Pieter
     
  3. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Re:Help!!!

    Hey Pieter! Sorry Im taking so long but another issue is my web page display bogs down then stops.I must reboot to clear the prob,but eventually it returns.Trojan hunter also discovered 4 poss tojans +2 double exe.Wil l attempt download of hijack further.Also cleaner discovered conduc-flex while attempting to unzip the first time.Could not find the file in PK-Zip(Ihave lots of zipped files),nothing with the spywareinfo url.Ill keep trying later but must log off for now before web browser clogs up again.(56k dial-up internal)THANKX
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Help!!!

    No hurry Mua-Kell,

    It´s a long shot, but maybe worth a try, if you can get rid of some trojans at www.trojanscan.com

    Regards,

    Pieter
     
  5. controler

    controler Guest

    or try any one of these great products

    http://virusall.com/downprodtroj.html


    con
     
  6. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Hello people...HELP! I did a booboo,I had hijackthis fix all checked items(all),and I think I might have lost some important stuff.But backup was checked and I managed to save the scan results to a txt file before I did this.Please reply. :'(
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    HI,

    If you mean that you checkmarked and fixed ALL items that came up in the scan then that WOULD be a problem.

    If this is the case, I would close out of all applications and then relaunch hijackthis and instead of doing a scan go to

    Config -> Backups

    You will see in the main window any items that were 'fixed' in the last session. I would restore all of them, reboot, relaunch hijackthis and scan but do not fix anything at this point, just save the log to txt file and copy and paste here.

    HTH,

    Dan
     
  8. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Hello again people!Well I fixed my "fixed" boo boo :D,ran scan,have copy of results saved as txt doc in copy of txt file.Problem is every time I get past select all,copy,then try to click on empty space in reply box(this thing)the previous steps are undone.What is this neewbie doing wrong?
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    hmmm, once you have the log in the text file and you do the select all and copy, start you reply here and once the cursor is on the "Message" window press Ctrl+V. This should paste the entire log here.
     
  10. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Ok Ill do it this way,Ive sent it as E-mail attachment.Hopefully that will work!Iam not a llama! :D
     

    Attached Files:

  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    That way works, too Mua-Kell. :)
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    OK, I would close out of all programs and windows and checkmark the following entries

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://O8758.saoe.com/passthrough/index.html?http://search.yahoo.com/search?fr=ush1-mail&p=yahoo.com
    R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
    O2 - BHO: (no name) - {D9158941-AA28-11D7-8B8B-444553540000} - (no file)
    O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab

    Press Fix and then reboot, after which delete the following

    C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL

    C:\Program Files\WildTangent <-- The entire folder

    Once this is done, please do another scan of Hijackthis and repost that log, just so we can be sure

    Thx
     
  13. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    YES!Success!Ok this is weird Ive uninstalled crummy Norton anti-virus 2001.My firewall keeps detecting it trying to connect to a remote...deny!Also the 'FREE' Game spy network is exactly that SPYS!3 Adware removed by uninstall(thank the binary Gods!).Downright cheesy if you ask me.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Mua-Kell

    Did you also uninstall Live Reg and Live Update? (unless your firewall is NIS/NPF in which case you will still need them)

    Regards,

    CrazyM
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CrazyM,

    Mua-Kell is using Kerio. ;)

    Regards,

    Pieter
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Thanks Pieter

    If Live Update was not uninstalled, that is likely what Kerio is alerting to.

    Regards,

    CrazyM
     
  18. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Ok guys Im back,caught the error, changed it and then got bogged down by display rate problems again.So 2 restarts later...
     

    Attached Files:

  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Oops, that looks to be an incomplete log, can you try again? :)
     
  20. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    I hope you guys finally got that reveised text file,the stupid adult links icon came back though.I also caught that remaining fragment from my Lop.com problems,a passthrough with a .asoe. text.
     
  21. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Got it!!!
     
  22. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Logfile of HijackThis v1.95.0
    Scan saved at 12:44:43 AM, on 7/1/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.5\THGUARD.EXE
    C:\PROGRAM FILES\THE CLEANER\TCA.EXE
    C:\PROGRAM FILES\THE CLEANER\TCM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\TXT FILE\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\DESKTOP\TXT FILE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.5\THGUARD.EXE"
    O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Morpheus] "C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Check For Dope Wars Updates.lnk = E:\Program Files\Dopewars\WiseUpdt.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_5_0.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37798.251400463
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
     
  23. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Whew! Could not find C:\DOWNLOADED PROGRAM FILES\QABAR.DLL,But I did find adult links icon and deleted it.I suspect my display of pages (refresh rate?) problem has something to do with this dynamic library link,.DLL?
     
  24. Mua-Kell

    Mua-Kell Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    54
    Location:
    Vancouver WA USA
    Darn the wild tangent is still there I'll do it all over my bad,sorry for wasting so much of your time be back soon.
     
  25. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    do you have a modem in your system?

    The ptsnoop.exe is sometimes associated with a modem but it could be malware instead, and I am thinking that one of the autolaunched applications is what keeps throwing the entries back in after you delete them.
     
Thread Status:
Not open for further replies.