Solved

Second Request on same question Spyware Toolbar

Posted on 2004-10-23
261 Views
Last Modified: 2008-03-03
I have been looking for answers to this question for months -  How do I remove this Spyware toolbar It only appears when I  connect to the Internet in Explorer It does not appear when I connect in Mozilla Firefox

I  think I have fixed some of the problems in my ie browser with hyjack this but I am still getting a spyware toolbar that wont go away It looks like this:


   Make money   Music   Casino
 
  Investing   Travel   Mortgage
   Dating - Singles - Personals - Escorts - Chat Rooms  Travel - Airline Tickets - Hotels - Cruises - Vacations  Careers - Job Listings - Education - Work At Home - Part Time
 Credit - Credit Cards - Cash Advance - Mortgage - Car Loans  Computers - DVD - Games - Digital Camera - Ink Cartridge  Insurance - Car Insurance - Health Ins. - Life Ins. - Renters Ins

Its properties when I right click on it look like this:

Search Now!

HyperText Transfer Protocol
   
HTM File

Not Encrypted

http://search200.com/passthrough/newpass2.html

size is 7320 bytes -

It only appears when I am connected to the internet and it goes away when I click on its close box but it always comes back when i use explorer

My Hyjack this log file now looks like this

Logfile of HijackThis v1.97.7
Scan saved at 5:10:31 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Stealther\stealth26.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Working Docs\White Papers\Computer Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://epihtbmqskudwyzibhl.com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:14000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - Startup: Stealther Startup.lnk = C:\Program Files\Stealther\stealth26.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.2661921296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D99612C-19B8-48F7-8629-EE97FA51D2DC}: NameServer = 65.247.64.21 209.41.196.13

Any suggestions???
0
Question by:MonroeDowling
    2 Comments
     
    LVL 8

    Accepted Solution

    by:
    Get the latest version of HiJackThis!
    Run the results through http://www.hijackthis.de/index.php?langselect=english

    Get AdAware, Spybot 1,3 and AVG Antivirus
    Update all three but only run AVG

    reboot into safe mode and then run AdAware and Spybot.
    0
     
    LVL 15

    Assisted Solution

    by:adamdrayer
    many people at EE have lately come out against posting HJT logs in questions.  They prefer that you use HJT only as a last resort, and you self-diagnose it by running the online analyzer here:
    http://ww.hijackthis.de/
    and come here to post only about unknowns. That being said, you do have some viruses and adware on your computer.

    I believe these to be bad and would fix them:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// epihtbmqskudwyzibhl . com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
    O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
    O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
    O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

    But before you fix them using HJT, you should run a few virus scans and spyware scans.  HJT is a last resort.  You seem to also be running the 180Solutions program.  It's here: C:\winnt\180solutions\saap.exe.  Kill the process immediately and delete the file.  This particular program is notoriously hard to get rid of.


    ***
    Standard HJT Disclaimer-

    The above items I say are bad because of any combination of the following:
    -I am familiar with them as bad programs
    -I cannot find anything on the web about them.
    -Naming convention for executable seems to be random letters/numbers
    -Naming convention for executable contains spaces (not common among professional programs)
    -Registry Value is non-descript or simply the name of the executable

    I encourage you to do any research on the above programs and concluding that they are unwanted before fixing them as entries.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Network it in WD Red

    There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

    Suggested Solutions

    Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
    Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    5 Experts available now in Live!

    Get 1:1 Help Now