worm.SomeFool.P

Discussion in 'adware, spyware & hijack cleaning' started by griff, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. griff

    griff Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    3
    Hi- I recieved an e-mail stating that I had sent worm.SomeFool.P to someone and have also been having some problems with my computer. One day all of the themes on the computer turned to baseball. Plus it has been running slow and every time I start it it says- Explorer has caused an error in ~7583836889.TPM. Explorer will now close. I downloaded the ad-adware, and the HijackThis program from your site. Here is it's results.Any help would be appreciated. Thanks- Griff

    Logfile of HijackThis v1.97.7
    Scan saved at 10:20:14 AM, on 6/6/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB03.EXE
    C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\SMARTDSK\FLASH\FLSHSTAT.EXE
    C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\COMPUSERVE 2000\WCS2000.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\85INGPQR\HIJACKTHIS[1].EXE

    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: FlashPath Status.lnk = C:\SMARTDSK\FLASH\FLSHSTAT.exe
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {D389CF85-6ACD-11D5-8DCA-0020188D446E} (EphoxEditLive2.EditLive) - http://prucal.fnistools.com/Include/editlive2/editlive20.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38135.7587615741
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi griff,


    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\SYSTEM\TOOLBAR.DLL

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab

    Reboot into safe mode
    and delete:
    C:\PROGRAM FILES\MYWAY <= entire folder
    C:\WINDOWS\SYSTEM\TOOLBAR.DLL
    C:\WINDOWS\SYSTEM\msmc.exe

    Follow additional instructions here:
    https://www.wilderssecurity.com/showthread.php?t=26670

    Post a new log when you are doen, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. griff

    griff Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    3
    I did what you said to do and checked all of the items below on Hijackthis and clicked fix checked. I also went into safe mode and tried to delete the files that you said. I was unable to find the file C:\WINDOWS\SYSTEM\TOOLBAR.DLL I deleted the other two. I also went to the web page at the bottom of your last e-mail and I was unable to continue because the web site it said to go to is no longer available to non-members, and I am not to sure about downloading anything from an AOL member. Is there anything else I should do?


    Griff
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Use the attachment to this post.

    Regards,

    Pieter
     

    Attached Files:

  5. griff

    griff Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    3
    Hi Pieter,
    I downloaded the Hoster thing, but I can't figure out how to make it run. I also got onto the gladiator-antivirus site, and I couldnt' find instructions for it anywhere.

    How am I supposed to make this thing run? How does it work?


    Thank you for your help,


    Griff
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Unzip the file and doubleclick Hoster.exe
    That's all there is to it.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.