Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Second Request on same question Spyware Toolbar

Posted on 2004-10-23
5
Medium Priority
?
275 Views
Last Modified: 2008-03-03
I have been looking for answers to this question for months -  How do I remove this Spyware toolbar It only appears when I  connect to the Internet in Explorer It does not appear when I connect in Mozilla Firefox

I  think I have fixed some of the problems in my ie browser with hyjack this but I am still getting a spyware toolbar that wont go away It looks like this:


   Make money   Music   Casino
 
  Investing   Travel   Mortgage
   Dating - Singles - Personals - Escorts - Chat Rooms  Travel - Airline Tickets - Hotels - Cruises - Vacations  Careers - Job Listings - Education - Work At Home - Part Time
 Credit - Credit Cards - Cash Advance - Mortgage - Car Loans  Computers - DVD - Games - Digital Camera - Ink Cartridge  Insurance - Car Insurance - Health Ins. - Life Ins. - Renters Ins

Its properties when I right click on it look like this:

Search Now!

HyperText Transfer Protocol
   
HTM File

Not Encrypted

http://search200.com/passthrough/newpass2.html

size is 7320 bytes -

It only appears when I am connected to the internet and it goes away when I click on its close box but it always comes back when i use explorer

My Hyjack this log file now looks like this

Logfile of HijackThis v1.97.7
Scan saved at 5:10:31 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Stealther\stealth26.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Working Docs\White Papers\Computer Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://epihtbmqskudwyzibhl.com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:14000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - Startup: Stealther Startup.lnk = C:\Program Files\Stealther\stealth26.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.2661921296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D99612C-19B8-48F7-8629-EE97FA51D2DC}: NameServer = 65.247.64.21 209.41.196.13

Any suggestions???
0
Comment
Question by:MonroeDowling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 8

Accepted Solution

by:
KerryG earned 1000 total points
ID: 12387917
Get the latest version of HiJackThis!
Run the results through http://www.hijackthis.de/index.php?langselect=english

Get AdAware, Spybot 1,3 and AVG Antivirus
Update all three but only run AVG

reboot into safe mode and then run AdAware and Spybot.
0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 1000 total points
ID: 12390696
many people at EE have lately come out against posting HJT logs in questions.  They prefer that you use HJT only as a last resort, and you self-diagnose it by running the online analyzer here:
http://ww.hijackthis.de/ 
and come here to post only about unknowns. That being said, you do have some viruses and adware on your computer.

I believe these to be bad and would fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// epihtbmqskudwyzibhl . com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

But before you fix them using HJT, you should run a few virus scans and spyware scans.  HJT is a last resort.  You seem to also be running the 180Solutions program.  It's here: C:\winnt\180solutions\saap.exe.  Kill the process immediately and delete the file.  This particular program is notoriously hard to get rid of.


***
Standard HJT Disclaimer-

The above items I say are bad because of any combination of the following:
-I am familiar with them as bad programs
-I cannot find anything on the web about them.
-Naming convention for executable seems to be random letters/numbers
-Naming convention for executable contains spaces (not common among professional programs)
-Registry Value is non-descript or simply the name of the executable

I encourage you to do any research on the above programs and concluding that they are unwanted before fixing them as entries.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question