Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Nov 21st, 2008, 4:35am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Dubliner asking for help with seven problems		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Dubliner asking for help with seven problems  (Read 1916 times)
desmondpieri
Newbie
*





   


Posts: 3
Dubliner asking for help with seven problems
« on: Mar 4th, 2005, 6:16am »		 Quote Quote  Modify Modify
I very much appreciate any assistance that can be provided. Desmond  Problems include:
 
1. Spyware Blaster ‘program has been damaged’ situation (even though it’s been loaded multiple times.
2. Spyware Guard Browser Protection Alert:  Attempt to change IE settings.  IE search bar has been changed to res://c:\windows\TEMP\se.dll/sp.html.  When I hit ‘restore old value’ it restores it but then it happens again right away.  Causes me to not be able to exit windows properly.
3. Spyware Guard does not seem to be able to update. It just hangs in the update state.
4. IE starts on its own and goes to www.loadingwebsite.com/normal/yyyy23.html
5. Naimas32:  “Program has performed an illegal operation and will shut down”
6. Have numerous items in task manager, including adawwpg, aseky, ydbiyqi, cryrts, and cvtr32, none of which I can determine what they are.
7. When I run HiJack This, in normal (ie., not safe mode), the program hangs after doing a scan and showing the log.  In the task manager it says ‘not responding’.  The only way to end it is via the task manager.  I can run HiJack this in Safe mode.
 
I had more problems earlier in the week and I could not go on line.  I was able to get rid of the other problems by loading some anti spyware software off of CD.
 
My system is Win 98 with all updates (as of today, after these problems started).  I have installed Ad-Aware 1.05 with definitions as of 16 Feb
CW Shreder 1.59.1
Spybot Search and destroy 1.3.
Spyware Guard 2.2
Hijack This 1.99.1
 
A HiJack This scan is below (see the note), and HiJack This start up list is further below.
 
Thank you for your help.  Desmond Pieri
 
Note:  The log below was created in save mode due to problem number seven above.  
 
Logfile of HijackThis v1.99.1
Scan saved at 6:58:48 PM, on 2/24/05
Platform: Windows 98 Gold (Win9x 4.10.199Cool
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Rest of data to follow in next post due to size limit.
IP Logged
desmondpieri
Newbie
*





   


Posts: 3
Re: Dubliner asking for help with seven problems
« Reply #1 on: Mar 4th, 2005, 6:17am »		 Quote Quote  Modify Modify
Here is the rest of the data.
 
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =  
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:3128
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [Modem Update Reminder] c:\windows\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [NaimAgent_Service] C:\ePOAgent\naimas32.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [Tcrsnx] C:\PROGRAM FILES\OWVHQU\YDBJYQI.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r78P37h] COOCIDS.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [Network Associates Man Agent] C:\WINDOWS\NTME\METHW95.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0452bbf36bfeffa3b706/netzip/RdxIE601.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5799
Re: Dubliner asking for help with seven problems
« Reply #2 on: Mar 4th, 2005, 10:31am »		 Quote Quote  Modify Modify
From your HJT log, it looks like you have a combination of spyware/malware infections.
 
I suggest that you go to www.webroot.com and run a remote scan to see what spyware that Spy Sweeper 3.5 detects on your system.  
 
If it detects any, I then suggest that you download Spy Sweeper 3.5 at  
http://www.webroot.com/products/spysweeper/?WRSID=c30188ac053f04f23b18b9 2b01f33e04
 
and purchase a 1 year license for $19.95.  Clean your system of infections and activate all the applicable Shields in Spy Sweeper.  
 
I highly recommend that you download the trial version of TH V4.2, install it, and scan your system.  If you like what you see with TH, a one time license fee will get you the fully licensed version.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: Dubliner asking for help with seven problems
« Reply #3 on: Mar 4th, 2005, 10:39am »		 Quote Quote  Modify Modify
Plugged your HJT log into Help2Go Detective:
 
This is BETA Software. Use at your own risk.
 
 
Malicious
 
These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
(Description: Home page or search page hijacker (running from temp folder))
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 auto.search.msn.com
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 search.netscape.com
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O1 - Hosts: 69.20.16.183 ieautosearch
(Description: Web browser hijacker)
 
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
(Description: Virtual Bouncer adware)
 
O4 - HKLM\..\Run: [AutoUpdater] \"c:\Program Files\AutoUpdate\AutoUpdate.exe\"
(Description: Adware related to Apropos Media.)
 
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
(Description: DPF running from Recycle bin -- unknown malware.)
 
 
 
Suspicious
 
Suspicious entries have been found in your log. They might be spyware/malware. We advise that you follow all of the directions on this page, and then re-run HijackThis. If you are still seeing this "Suspicious" section, you should go to the Spyware Help section of our site and post your log in a new topic so that our experts can analyze it personally.
 
 
 
Suggestions
 
The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.
 
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
(Description: This is the Microsoft MSN Queue Manager. There is disagreement over whether it is spying on you or not. Nevertheless, we suggest you check this entry and remove it. Removing this entry will free up some system resources. more information)
 
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)
 
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0452bbf36bfeffa3b706/netzip/RdxIE601.cab
(Description: Browser add-on from RealNetworks. Unnecessary.)
 
 
 

 
1) Press the "Fix checked" button. Then close HijackThis.

 
2) Then reboot your computer.
 
3) Remove all files from your C:\WINDOWS\TEMP folder and your C:\DOCUMENTS AND SETTINGS\(your username)\LOCAL SETTINGS\Temp\ folder. (Do NOT delete the folders themselves). PLEASE NOTE: The local settings folder is a hidden folder.
 
4) Uninstall Virtual Bouncer.
 
5) Delete the folder C:\Program Files\VBouncer\
 
6) Delete the C:\Program Files\AutoUpdate\ folder.
 
7) Empty the recycle bin.
 
8) Run Windows Update and install all critical updates.
 
9) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.
 
10) Reboot one last time.  
 
11) Some suspicious entries have been found in your log. The next step is to run HijackThis again and create another log file. Click here to create a new topic in our Spyware Help forum and paste your log within, along with a note that the Detective prompted you to do so. One of our experts will analyze your log and post a response if there is anything else you need to fix.
« Last Edit: Mar 4th, 2005, 2:40pm by Randy_Bell » IP Logged
desmondpieri
Newbie
*





   


Posts: 3
Re: Dubliner asking for help with seven problems
« Reply #4 on: Mar 5th, 2005, 9:39am »		 Quote Quote  Modify Modify
thank you for the quick response. I am traveling this weekend and will not be at a place where I can hitch up my PC.  As soon as I can get connected, I'll do the things you suggest and I'll do another reply to confirm success. Again, thank you very much. Des
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register