Problems with pc due to a strange program

Hi, Kayz ~

You have yet another trojan or virus.

I am a little pi55ed right now as I addressed this issue w/ a lengthy post last night addressing this issue. I see I may have scr3wed up due to the 60 second rule and it did not make it, but I will repost it later, OK?

 

Hi, Kayz ~

OK, here's the scoop - what you have is known as JS_TRAFFICHBAR.A trojan or Trojan.WinREG.STW variant that is a parasitic program that spys on you & sends ads. This is often through b.s. programs like TinyBar, ZeroPopup and a few others, but they all hijack your browser to the stupid znext.com, spy and eat up bandwidth by sending your browsing habits back to homebase.

Here are a few pages for info and manual removal:

• TrendMicro
• Pest Patrol
• McAfee

Click here to test for the parasite and then click on 'ZeroPopup' and 'TinyBar' on the lower left-hand bottom of the page for further good info.

The best documented automatic hijack remover for this particular pest can be removed with HijackThis. Read the directions under the Hijack Removal heading.

 

Ok Ive done all the scanning with SPybot, Ad-Aware, and NAV and the ones you all have given me over I dont know how many times now. The only one I didnt try was the HijackThis one. I dont know what exactly to look for but I also question Ive looked for all the required things of the tool bar mentioned in each tutorial and chose the max setting in Ad-Aware yet from
http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck I keep gettin a 1033 NetSpy Trojan So I dont know if its still the same spyware but I have 1 type of spyware on here none the less. I'm starting to get ****** here and I will send a list of what came up on the HijackThis list in the morning Im tired and agitated now by this stuff so I deeply thank you Mike and Bruce for helping me and sorry to you both for putting you through much trouble if any.

 

Ok Kayz

First stop running the other steps we gave over and over as this is a waste of time. Twice thru is enough!

It is time we have more info on what is starting up so download STARTUP LIST.

<http://www.spywareinfo.com/~merijn/files/startuplist.zip>

StartupList does nothing but grab all Autoload (startups) and puts them in a Wordpad file so that you can then copy it and paste it back to us in a message so that we can advise on a problem here. So get this to us!

NOW confirm this to us. You have 2 issues now (1) the znext search problem and (2) the 1033 netspy. Is this correct?

First let me mention that is is very easy to get a false positve on a trojan.

So let us get it out of the way first. Down load the below then install, then immediately do the online update(it is a 30 day free trial).

The Cleaner 3.5
http://www.moosoft.com/thecleaner/download.php

So post the Startup list back to us, then run The Cleaner and get back after that with the results.

A Trojan or worm is more of a priority than the ZNEXT thing since it appears to be only a nuisance. So after handleing the the 1033 netspy we will get back to that.

Again do not waste your time running these things over and over do the above and get back to us.

Mike

 

Well the Pop-up of Znext has stopped and the registry files and other extensions that were given to me have all been taken out. This is the results from the list-


StartupList report, 4/12/03, 10:37:50 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
LoadQM = loadqm.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
POINTER = point32.exe
NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
DeadAIM = rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
fsvyuwg = "C:\WINDOWS\SYSTEM\FSVYUWG.exe "

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/4/2003, 23:52:46)

[Rename]
NUL=c:\windows\system\ieacce~1.dll

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37603.718912037

[{4E888414-DB8F-11D1-9CD9-00C04F98436A}]
CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[PWLNINST Control]
InProcServer32 = C:\WINDOWS\PWLN\PWLNINST.OCX
CODEBASE = http://www.plato.com/pwln/02000050/cab/pwlninst.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,666 bytes
Report generated in 1.255 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

ok (sorry for double posting) I ran The Cleaner updated it and then checked to see if the Net Spy was still around and its not showing up now. Thanks again Mike I hope Im not putting you through any trouble through this.

 

Ok!

Good to hear that the ZNEXT is finally gone.

So what about the 1033 NetSpy Trojan. This could be much more troubling than ZNEXT.

Did you download and run The Cleaner to check for the 1033 NetSpy Trojan?

If not that is the "NEXT BIG THING ".


The above needs done ASAP, the below is for later.

Now just for your info.

Do you actually use MSM messenger (the reason I ask is that it gets installed automatically sometimes). If you use it OK, if not it is an unnessesary resource user.

I noticed that you have DeadAim that stops ads from AOL instant messenger, but I saw no indication that you use AIM.

I would not have webshots on my computer for pay!

The references to taskmon and hpfsched are unnessesary and slow your computer down.

AFTER you handle this netspy let me know what you wish to do here and i will help you clean these up.

Mike

 

Yes I do use MSN Messenger and I used Dead Aim last night. Webshots is on there because the actual owner of the computer thought it would be nice to have on here so they decided to put it up on the computer : \. As for the two files that slows down my computer Ill stop them from running. Again thank you. The Trojan didnt show up in the scan so its gone and Im in the clear now. Thank you.

 

Please elaborate.

 

I admin 62 networks ( over 1000 W/S) in 6 states, a year ago I had a seires of lockups and Viri hits at 2 different locations. The Viri hits seemed to come from the Webshot computers out of 35 w/s at this 1 location, only the WebShot computers had the Viri.

After removal which their uninstall does not complete, it takes manual registry cleaning to completely remove. Another thing I detest (not doing a proper uninstall)!

Additionally after removal all the users commented that their computers were noticeably faster. I noticed it also.

Then later I had 2 more different networks have a similar hits all on the computers that had webshots, and after cleaning I mandated no more webshots.

Then a month or 2 later after that, a couple of users from the first group above got more Viri when they reinstalled WebShots.

At least 2 different Virus scanners were in effect at different stations, Norton and ETrust Anti Viruus (Inoculatit). It would clean most Viri but they would show up again the next day or after a reboot!

Additionally only a short time ago it came bundled with GATOR, not any longer but they have that mentality.

http://info-center.ccit.arizona.edu/~ccitinfo/newsletters/march2002/problems_with_webshots.html

In short degrades performance, keeps the door ajar! Just trips my 2 triggers, performance and security!

Mike

 

OK Kayz

I will close this case! Smile!

Good luck.

To remove Taskmon you should boot to safe mode. Search for taskmon.exe and delete it.

Then browse to c:\windows\ and delete the entire Applog folder.

To remove the hpfsched go to

start-run
type sysedit

click win.ini

delete the line that says run=hpfsched

Mike

PS I just noticed this

McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

Do you have both Norton and McAfee?????????????

Bye
Mike

 

Hi, Mike ~


I thought Kayz said they just installed Norman, too, so is that 3 now??? I don't see it in the report.

I would recommend killing off the Quicktime - NO reason for that to run at start up - Tune up application, and dump some of the ActiveX controls.


Regarding Webshots, I see your point. I am a Webshots user, but then I know how to use progz like that in such a fashion w/o installing third-party wares, not at start-up, not enabling open connections and w/o using any resources.

 

Hello,Kayz

If you like have a try at this

download 'Hijack This!'.

Unzip, doubleclick HijackThis.exe, and hit "Scan ".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Good luck

 

Yes Kayz

Relax the pressure is off, seems everything is fixed, the rest we are telling you about are only to improve the system performance and stability.

Bruce pointed out the qtask, I saw it but forgot to list it. Totally useless, worse a slowdown so get rid if it also.

And if you had McAfee in the past part of it is still loading. Whats up?

Mike

 

Only thing I have from McAffee was this Internet Security program by them and I downloaded it into my computer but I took it off. I dont know why its still hanging around in my system but Ill go ahead and take it off since I dont run McAffee. I think I just forgot to do a complete uninstall I guess I dont remember all I know is that I dont like using McAffee for anything since it was slowing my computer down extremely. But anyways thank you for suggesting those things to me and taking your time get me the info and to make my computer Trojan free. Thank you I wish I could repay the favor.

 

Your thanks is my pay!

Mike

 

Jesus ok I got something in my Internet Temp. Files that is called a x0r.exe and a warning came up saying the file carried something called Backdoor something I wasnt able to see it for I was typing an address trying to get away from the site since it wasnt really giving me results and I hit enter on 'ignore the problem ' on TC active or Monitor one of the two, so I did all the programs and it hasnt gotten rid of it. I scanned and again I have a 1033 Net Spy

 

Hi, Kayz ~

Is 'TC active or Monitor' part of Norman or Norton or McAfee?

Why did you hit enter on 'ignore the problem ' ? You have the 'Backdoor' trojan. You should let your anti-virus quarantine, clean and/or remove it.

 

That is the resident portion of The Cleaner 3.5 that I had her install after she found the netspy.

Appearently it is doing it's job. I in fact forgot about the resident portion because I do not install that part.

Bruce and Kayz I am headed out to Dinner so I will be out for an hour or so.

If you don't get it by then I will try.

Mike

 

Umm Im a guy first off , for Bruce I was typing the address quickly without looking up at the moment and accidently hit enter but it was to late and my system lagged when it read that problem and then the window closed.

As for my name I got it from Kamikaze and I just took the Kaze part by spelling it Kayz.