Computer is slow and loaded with spyware

Something has gotten a hold of my computer and will not let go.

I have run adware and it came up w/993 new objects which I put in quarantine.

I ran my virus protection program, all clear.

These are some of the problems I am having:

1. I cannot set a homepage of ie. When I do, it goes back to about:blank. Some kind of search page.

2. When we try to put in a web address in the address bar, all we can get it this stupid search page w/lots of "your computer is infected w/adware" popups.

3. My user name and password and phone # are changed to something I've never heard of. When I change it, it changes back.

4. My virus protection will not update.

5. The computer is super slow.

I'm sure there is more I could list, but you get the idea.

I am running xp pro.

Help!

Thanks so much!

 

jbh - please follow the posting rules (link toward the top of each reply you open) and put a meaningful subject in your post. I changed this one for you.

Your system has been partly taken over by some piece of spyware/malware. Please download a copy of hijackthis and post a log. Lots of how-to posts on here for getting it, saving it, running it, posting the results. Just search the security archives for Hijackthis and you'll see lots of other threads.

 

Newt, Thanks for changing the subject line for me.

Here is my hijackthis log.

Sure hope you can help and I need to learn this stuff.


Logfile of HijackThis v1.97.7
Scan saved at 5:14:21 PM, on 6/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\PC-cillin 2002\PCCPFW.exe
C:\documents and settings\dad\local settings\temp\q.exe
C:\documents and settings\dad\local settings\temp\LCS2R.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\program files\altnet\points manager\points manager.exe
C:\documents and settings\dad\local settings\temp\q.exe
C:\documents and settings\dad\local settings\temp\LCS2R.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\dbgrhook.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~3\OFFICE\WINWORD.EXE
C:\Documents and Settings\Mom\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ppamec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DCA440E-D468-40B9-9A4F-63BDA876C042} - C:\WINDOWS\System32\ppamec.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\System32\max8264.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe "
O4 - HKLM\..\Run: [q] C:\documents and settings\dad\local settings\temp\q.exe
O4 - HKLM\..\Run: [LCS2R] C:\documents and settings\dad\local settings\temp\LCS2R.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [q.exe] C:\documents and settings\dad\local settings\temp\q.exe
O4 - HKLM\..\Run: [LCS2R.exe] C:\documents and settings\dad\local settings\temp\LCS2R.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe 1
O4 - HKLM\..\Run: [AutoLoaderr3ro1JTkJLMP] "C:\WINDOWS\System32\dbgrhook.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [r88U37O] dbgrhook.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O13 - DefaultPrefix: http://nkvd.us/
O13 - WWW Prefix: http://nkvd.us/
O13 - Home Prefix: http://nkvd.us/
O13 - Mosaic Prefix: http://nkvd.us/
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\nqsepipj.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.com/mx/chm/files.chm::/file.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://js.searchx.cc/online.chm::/on-line.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.620787037
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF0FD042-496D-4344-8836-EE850C1E88F4}: NameServer = 209.63.0.6 207.173.86.6

 

Here are a couple of things to get you started.

First, create a new folder named HJT, then cut and paste HijackThis.exe into it. This will keep the backups it creates together in a neat fashion.

Make sure you have the current version, build 6.181 of Ad-aware. If not, download it from my signature. Update it and configure it for a custom full scan. Run and delete everything it finds. Delete everything you now have in quarantine.

Reboot.

Download, install and update Spybot from my sig also. Run and delete all it finds that is prechecked.

Reboot.

Download CWShredder too. Save it to your desktop. Close ALL other windows and click fix.

Reboot.

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You should also run KazaaBegone, available from the CWShredder link. After removal and reboot, delete the corresponding folders in Program Files.

Reboot.

Run online virus scans with both RAV and Housecall. Check the boxes to autoclean. If anything is found and uncleanable, get a report.


Download this zip. You will need a program like Winzip to open it. You don't have to buy it. The evaluation version will keep right on working long after the times up.

http://tools.zerosrealm.com/pv.zip

Please unzip it to the desktop. It will not work if you run it from inside the zip. After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter. Notepad will open with a log in it. Please copy and paste the log into this post, along with a new HijackThis log, and reports from AV scans if applicable.

 

In addition to that

Run hijackthis and fix these
O4 - HKLM\..\Run: [q] C:\documents and settings\dad\local settings\temp\q.exe
O4 - HKLM\..\Run: [LCS2R] C:\documents and settings\dad\local settings\temp\LCS2R.exe
O4 - HKLM\..\Run: [q.exe] C:\documents and settings\dad\local settings\temp\q.exe
O4 - HKLM\..\Run: [LCS2R.exe] C:\documents and settings\dad\local settings\temp\LCS2R.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\nqsepipj.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.com/mx/chm/files.chm::/file.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://js.searchx.cc/online.chm::/on-line.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
===========
Set windows to show hidden file's, folder and extensions.
and delte these files
c:\info6_s.cab
c:\nosuch.mht!
C:\Program Files\Internet Explorer\nqsepipj.exe
Uninstall P2P Networking through Add/Remove Programs.While off line. If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.
Subsequently remove the P2P Networking folder in C:\Windows\System, if still there. and the allthenet folder to,C:\Program Files\Altnet

Please uninstall Kazaa also
==========

Restart the PC
Important Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content
And delete the contents of all your temp folders, as in.
C:\documents and settings\(all your pc users)\local settings\temp
and the contents of the C:\windows\temp folder

 

jbh
Don't know how to put it politely, but your computer is a big mess. You should follow Noahdfear's detailed instructions, or, back up any data you NEED to cd and reinstall XP with your original XP disk. It is far less complicated and will take significantly less time than cleaning up, especially if you are not experienced with this kind of work.

For the future, here is some security info, and you may want to think about preparing for using ASR, which can get an XP Pro user out of trouble relatively easily, if it is set up beforehand. Good luck, and post back with your progress. No matter which way you decide to go, we will help you as best we can.

Johanna

 

Hi Johanna,

No need to be polite. I know this computer is a mess. You should see it from my end! And you're right. I may need to start all over. I've put in enough time by now that I'd like to keep trying to fix it. Also it's a good learning experience for me.

And before I continue, I want to say a big thank you to Newt, noahdfear, Lonny Jones, Johanna and any one else who helps me. It's great that you guys take out the time to do this!


I think I have done pretty much everything that's been suggested and the computer is running some better. A couple of problems (questions) tho.

I ran the RAV but it didn't clean the files for me. Thought maybe I didn't check the clean files button, so did it again. Still didn't clean them. report below.

Then went to Housecalls, and every time I get ready to scan I get an ie error and it (ie) shuts done. What's that all about?

Again, many thanks for your help. Don't know what I'd done without it!

jbh


Scanned files: 76080
Scanned directories: 6426
Scanned archives: 2751
Size of the scanned files: 1790949351
Packed files: 4345
Known viruses found: 31
Virus bodies: 15
Suspicious files: 3

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 288171
Mail files: 1957




Found viruses
File: C:\WINDOWS\infamous.exe
Virus: PWS:Win32/Briss Status: Infected

File: C:\WINDOWS\system32\npk.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: C:\WINDOWS\system32\ppamec.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: C:\WINDOWS\system32\nieglc.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: C:\WINDOWS\system32\ahpbkia.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: C:\WINDOWS\system32\mnblkk.dll
Virus: Trojan:Win32/StartPage.GV Status: Infected

File: C:\Documents and Settings\Mom\Local Settings\Temp\_update.dat
Virus: TrojanSpy/Win32.Agent.L Status: Infected

File: C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\WHENWZBC\CA8YGFAD.HTM
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: C:\Documents and Settings\Paige\Local Settings\Temp\_update.dat
Virus: TrojanSpy/Win32.Agent.L Status: Infected

File: C:\Documents and Settings\Dad\Local Settings\Temp\_update.dat
Virus: TrojanSpy/Win32.Agent.L Status: Infected

File: C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\CXYLENCB\codeshtoo2[1].htm
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\G5UVKXAN\CAHSGN5L.HTM
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: C:\Program Files\Q330994.exe
Virus: Trojan:Win32/StartPage.AU2 Status: Infected

File: C:\Program Files\Internet Explorer\ibuxkoky.exe
Virus: Backdoor:Win32/Jeemp.C Status: Infected

File: C:\Program Files\Internet Explorer\nqsepipj.exe
Virus: Backdoor:Win32/Jeemp.C Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP155\A0261052.exe
Virus: PWS:Win32/Briss Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP155\A0261053.exe
Virus: TrojanDownloader:Win32/Small Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP155\A0261056.exe->(UPXW)
Virus: PWS:Win32/Briss Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP161\A0270167.exe
Virus: PWS:Win32/Briss Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP161\A0270168.exe
Virus: TrojanDownloader:Win32/Small Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP161\A0270171.exe->(UPXW)
Virus: PWS:Win32/Briss Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP170\A0277636.exe
Virus: Backdoor:Win32/Ruledor.E Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP170\A0277661.dll
Virus: SpyTool:Win32/Briss.H Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP170\A0277662.exe->(UPXW)
Virus: PWS:Win32/Briss Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP171\A0284444.exe
Virus: Trojan:Win32/StartPage.FA Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP171\A0286373.exe->(UPXW)
Virus: TrojanDownloader:Win32/Agent.AB Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP171\A0288526.exe
Virus: Backdoor:Win32/Jeemp.C Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP172\A0297556.dll
Virus: Clicker:Win32/Delf Status: Infected

File: C:\System Volume Information\_restore{A5D157BA-79DD-4E4C-B596-4D6D40D5D466}\RP172\A0297558.exe
Virus: TrojanDownloader:Win32/Keenval.A Status: Infected

File: C:\Eudora\clients.mbx->(Invalid#1*)
Virus: MIME/Invalid#1 Status: Suspicious

File: C:\Eudora\old in.mbx->(Invalid#1*)
Virus: MIME/Invalid#1 Status: Suspicious

File: C:\Eudora\ebay.foll\buyer.mbx->(Invalid#1*)
Virus: MIME/Invalid#1 Status: Suspicious

File: E:\Program Files\Windows Media Player\mplayer2.exe
Virus: Trojan:Win32/StartPage.FA Status: Infected

File: E:\Program Files\Internet Optimizer\optimize.exe
Virus: TrojanDownloader:Win32/Dyfuca.V Status: Infected

 

Disable System Restore and reboot, most of those files are in there, and only XP can delete them. Don't enable System Restore yet.
Delete the temp IE files, check the box for Delete Offline Content when you do.
You might want to delete any stored emails in Eudora.

Please post a new HJT log.

I would suggest deleting files, but some may be "needed ", and you had such a mess I don't want to make a bigger mess. Some of them do not seem to be called upon by the old log, but will wait.

 

Hi markp62,

System restore diabled.

System rebooted.

ie temp files deleted.

Here's the new HJT log: Thanks, jbh

Logfile of HijackThis v1.97.7
Scan saved at 7:27:14 PM, on 6/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PC-cillin 2002\PCCPFW.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dbgrhook.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\dbgrhook.exe
C:\WINDOWS\System32\mqttetab.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bikfge.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9191E8C3-BD8C-47B4-919F-A9F209B73CAE} - C:\WINDOWS\System32\bikfge.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINDOWS\System32\max8264.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoaderr3ro1JTkJLMP] "C:\WINDOWS\System32\dbgrhook.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe "
O4 - HKLM\..\Run: [r88U37O] dbgrhook.exe
O4 - HKCU\..\Run: [azr8RXimS] mqttetab.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298065d0b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.620787037
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I was afeared of something like this.

Download Stinger.....http://vil.nai.com/vil/stinger/

Download A2 (A-squared).....http://www.emsisoft.com/en/software/free/
Edit note: Dave, capital letter A followed by holding down Alt and 0178 from the numberpad and then releasing will give you A². Newt

Thanks Newt. Have copied it to my notes for future reference. Lords knows I'll never remember it.

Right click My computer>properties. On system restore tab, check the box to disable and OK out.

Show hidden files and folders.

Open C:\temp, select all and delete.
Open C:\Windows\temp, select all and delete.
Open C:\Documents and Settings\Mom\Local Settings\Temp, select all and delete.
Open C:\Documents and Settings\Paige\Local Settings\Temp, select all and delete.
Open C:\Documents and Settings\Dad\Local Settings\Temp, select all and delete.
Open all other usernames in C:\Documents and Settings to local settings\temp, select all and delete.


You will need to logon to each username and open control panel, then internet options. Delete temporary internet files. Check the box for offline content. Delete cookies as well. Click the settings button, then view objects. Select all and delete. Empty the recycle bin. Do all of this in that order for each username.

Run stinger.
Run A2.
Update and run Ad-aware again.
Reboot.

If still present, end process on optimize.exe in task manager, then open E:\Program Files and delete the folder Internet Optimizer.


Scan with RAV again.
Try scanning with Housecall again.

Post reports along with a new HijackThis log.

 

noahdfear,

I am in the process of doing what you have suggested.

You were afeared of what?

jbh

 

Multiple infections. When I saw your first log, which is why I suggested the scans. And would you believe that I started that reply before Mark posted in? Golly I gotta learn to type faster.

 

Also need the PV log as suggested in my first post.

 

Thanks

This is a learning experience for me.

Will post result after I run everything including a pv log.

jbh

 

Wrong thread.