ZestyFind, Aboutblank, Undertone and 69.20.62.93!

Discussion in 'adware, spyware & hijack cleaning' started by DaddyO, May 6, 2004.

Thread Status:
Not open for further replies.
  1. DaddyO

    DaddyO Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Location:
    Arizona
    Hi,

    First time here!

    Problems - ZestyFind, About.Blank, Undertone and some other "thing" that keeps briefly opening a new browser window that has a title bar with

    69.20.62.93/yyy. ------- There's more but I haven't gotten it all

    I'm running XP Home edition. I have a dial-up connection. I've used SbyBot for many months, Just downloaded and execute Ad-aware. My Hijack-This log is below.

    Having executed the two spyware tools I seem to be free of the ZestyFind home page. Prior to executing Ad-Aware I could not even open my IE tools-> internet options. I got a box that told me I needed to contact my system administrator. Trying to get to Google caused my browser to add a completely new toolbar with all kinds of options.

    In the past couple of days I have also experienced intermittent program errors which cause me to receive the usual "send report to microsoft" dialog box. I have no idea what's running that's causing this error but it does appear to be related to my internet connection. Took my system through a restart yesterday evening! Something about being unable to access a memory address.

    Thanks, Here's my log.

    Logfile of HijackThis v1.96.4
    Scan saved at 1:18:39 PM, on 5/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\BITWARE\NT\bwprnmon.exe
    C:\WINNT\nblnbs.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Documents and Settings\Michael W. Wiersma\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\pop\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
    O3 - Toolbar: beep dash junk - {1F8ED96B-3E51-1259-BB76-95F780087AB6} - C:\PROGRA~1\SIXTHB~1\mealhtm.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Exif Launcher.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi DaddyO,

    Not sure if we can get you on the road again with all that, but let's give this a shot first.

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These would now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
    O3 - Toolbar: beep dash junk - {1F8ED96B-3E51-1259-BB76-95F780087AB6} - C:\PROGRA~1\SIXTHB~1\mealhtm.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - Startup: PowerReg Scheduler.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder

    Regards,

    Pieter
     
  3. DaddyO

    DaddyO Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Location:
    Arizona
    Thank you.

    I've done what you recommended, but, things didn't go quite as planned. I've not used SAFE mode on XP before and I apparently did something wrong and started back up in normal mode the first time around. Got it right after a second try, though. I hope nothing got rebuilt during the first startup.

    While in SAFE mode I tried using a command prompt window to navigate to the WinTools directory and delete it. (May have been a mistake to use this approach.) I got "Access Denied". The command cacls WinTools reported "EVERYONE:F". I'm not familiar enough with CACLS to recognize this response. I was able to rename the directory to STUPID, then restart windows. I could then delete the STUPID directory ; ) from the normal XP dialog box.

    I re-excuted SpyBot and Ad-Aware and generated another Hijack-This log.

    About.blank immediately reared it's ugly head when I logged back on, so, that's still lurking about.

    Let me also mention that prior to my executing any of your instructions it appears that the 69.20.62.93 pop-up had been installing icons on my desktop. Three, to be precise. Either SpyBot or Ad-Aware apparently cleaned them up. I have not seen this pop-up again during this session.

    Ah Ha! I just noticed that this 69.20.62.93 thing is the dreaded "look2me".

    Thanks, and here's my new log

    DaddyO - aka Mike

    p.s. - I'll move Hijack this later - thanks for the advice.

    ----------------------------

    Logfile of HijackThis v1.96.4
    Scan saved at 11:49:03 AM, on 5/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\BITWARE\NT\bwprnmon.exe
    C:\WINNT\nblnbs.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\system32\notepad.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Documents and Settings\Michael W. Wiersma\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\pop\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Last edited: May 7, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.