Needware virus (if that's what it is). Please help me resolve this.

I have a neededware virus on my computer. Could you please look over my HJT log and tell me which files I should delete or fix? I'd really appreciate it if you would. I have Spyware 2005 and Ad-Aware SE downloaded onto my computer. I also have Ewido and Nailfix downloaded and saved on desktop but haven't ran them yet. Here's my log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:45 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32hkcmd.exe
Crogram FilesQuickTimeqttask.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
Crogram FilesViewpointViewpoint ManagerViewMgr.exe
Crogram FilesBestPopUpKillerBestPopupKiller.exe
Crogram FilesDell SupportDSAgnt.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32wscntfy.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
Crogram FilesInternet Exploreriexplore.exe
Cocuments and SettingsLisaDesktopHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - crogram filesgooglegoogletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - crogram filesgooglegoogletoolbar1.dll
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [UpdateManager] "Crogram FilesCommon FilesSonicUpdate Managersgtray.exe" /r
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [mmtask] "Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe "
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [ViewMgr] Crogram FilesViewpointViewpoint ManagerViewMgr.exe
O4 - HKLM..Run: [tdxu] C:WINDOWSsystem32tdxu.exe
O4 - HKCU..Run: [MSMSGS] "Crogram FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [MoneyAgent] "Crogram FilesMicrosoft MoneySystemmnyexpr.exe "
O4 - HKCU..Run: [SpyKiller] Crogram FilesSpyKillerspykiller.exe /startup
O4 - HKCU..Run: [BestPopUpKiller] Crogram FilesBestPopUpKillerBestPopupKiller.exe /startup
O4 - HKCU..Run: [MSKAGENTEXE] CROGRA~1McAfeeSPAMKI~1MSKAgent.exe
O4 - HKCU..Run: [DellSupport] "Crogram FilesDell SupportDSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Crogram FilesAdobeAcrobat 7.0Readerreader_sl.exe
O8 - Extra context menu item: &Google Search - res://Crogram FilesGoogleGoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://Crogram FilesGoogleGoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://Crogram FilesGoogleGoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://Crogram FilesGoogleGoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://Crogram FilesGoogleGoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://Crogram FilesGoogleGoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:counter.cab
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - Crogram FilesIntelNCSSyncNetSvc.exe

 

Hello Lisa,

You should first run both Ad-Aware and Ewido and then repost a log afterwards. Can't advise on Nailfix, don't know what the effects are - if Dave or Mark get to this, they'll be able to tell you whether or not to run it.

You can also run the on-line virus scanners: links here http://www.windowsbbs.com/links.php

And, I notice you have a lot of resource draining startups:

O4 - HKLM..Run: [UpdateManager] "Crogram FilesCommon FilesSonicUpdate Managersgtray.exe" /r

O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [mmtask] "Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe "

O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKCU..Run: [DellSupport] "Crogram FilesDell SupportDSAgnt.exe" /startup

O4 - Global Startup: Adobe Reader Speed Launch.lnk = Crogram FilesAdobeAcrobat 7.0Readerreader_sl.exe

None of these need to startup at boot - if needed, they can be either on demand or in the case of Acrobat, double clicking on a PDF file brings it up anyway.

Read thru this post http://www.windowsbbs.com/showthread.php?t=39425 - links to startup info, whether needed, not needed, or harmful.

Regards - Charles

 

Neededware virus

Thanks for replying so fast Charles. I did everything you said to and removed a few more files from start-up because I don't need them at start-up. Here's my new log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:06 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Lisa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [tdxu] C:\WINDOWS\system32\tdxu.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Could you please tell me what else I need to clean or remove? Then after that's taken care of, what should I do next?

 

Your BestPopupKiller.exe is part of your problem. Just glance through this google search and you will see what I mean.
http://www.google.com/search?hl=en&lr=&q=BestPopupKiller.exe

Disable System Restore.

Now, open HJT, and click on 'Open misc tools section', then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.

C:\WINDOWS\system32\tdxu.exe

Then click on Open, and you will be prompted to reboot, select No at this time. Do the same for this.

c:\counter.cab

Rescan with HJT, and remove these items with all internet browsers and windows explorer windows closed.

O4 - HKLM\..\Run: [tdxu] C:\WINDOWS\system32\tdxu.exe
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Reboot into Safe Mode.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\Lisa\Local Settings\Temp

Delete this folder.
C:\Program Files\BestPopUpKiller.

Reboot into Normal mode, and enable System Restore. Please post a new HJT log.
I have noticed Neededware is not visible in your second HJT log. Get SpywareBlaster, install and update. Allow it to enable all protections, it will put neededware and hundreds of other sites into the Restricted Zone, preventing further infections of this type.
Note: XP will not allow a site to be in both the Restricted and Trusted at the same time.

 

Neededware virus

I just finished doing all of the above that you suggested me do. Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:03 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lisa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

 

Neededware virus

Oops! I forgot to do on thing before. To enable system restore. So I did that soon after I wrote my last post. I forgot to ask two things also. Should I just uninstall my Spykiller 2005 since that's what put BestPopupKiller onto my computer? And should I delete the two 'dell4me' files? I'm wondering why they're underlined in the logs. Thanks.

 

Yes, get rid of Spykiller, definitely without a doubt.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
Those are there because you have a Dell, nothing bad about them. Why not just change your Homepage in Internet Options? That is what they are. They are underlined because they are working links on this forum.

Your log is clean.
Here are a couple of things you can remove, your choice.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
That is there because XP crashed. If it isn't crashing anymore, you can remove it.

You can uninstall Viewpoint Media Manager, it is useless. It appeared with an AOL product such as AIM.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
You could remove Quicktime from startup, it will work fine. Sometimes it causes problems on some folks computers when running at startup.

Have a good day!

 

Final Neededware Post

All is done. Mark, thank you soooo much for all your help, and for Charlie's help too. There are no more pop-ups and my computer is alot faster too. Awesome. Thanks again.
Sincerely,
Wildputycat