?
Solved

Second Request on same question Spyware Toolbar

Posted on 2004-10-23
5
Medium Priority
?
280 Views
Last Modified: 2008-03-03
I have been looking for answers to this question for months -  How do I remove this Spyware toolbar It only appears when I  connect to the Internet in Explorer It does not appear when I connect in Mozilla Firefox

I  think I have fixed some of the problems in my ie browser with hyjack this but I am still getting a spyware toolbar that wont go away It looks like this:


   Make money   Music   Casino
 
  Investing   Travel   Mortgage
   Dating - Singles - Personals - Escorts - Chat Rooms  Travel - Airline Tickets - Hotels - Cruises - Vacations  Careers - Job Listings - Education - Work At Home - Part Time
 Credit - Credit Cards - Cash Advance - Mortgage - Car Loans  Computers - DVD - Games - Digital Camera - Ink Cartridge  Insurance - Car Insurance - Health Ins. - Life Ins. - Renters Ins

Its properties when I right click on it look like this:

Search Now!

HyperText Transfer Protocol
   
HTM File

Not Encrypted

http://search200.com/passthrough/newpass2.html

size is 7320 bytes -

It only appears when I am connected to the internet and it goes away when I click on its close box but it always comes back when i use explorer

My Hyjack this log file now looks like this

Logfile of HijackThis v1.97.7
Scan saved at 5:10:31 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Stealther\stealth26.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Working Docs\White Papers\Computer Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://epihtbmqskudwyzibhl.com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:14000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - Startup: Stealther Startup.lnk = C:\Program Files\Stealther\stealth26.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.2661921296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D99612C-19B8-48F7-8629-EE97FA51D2DC}: NameServer = 65.247.64.21 209.41.196.13

Any suggestions???
0
Comment
Question by:MonroeDowling
2 Comments
 
LVL 8

Accepted Solution

by:
KerryG earned 1000 total points
ID: 12387917
Get the latest version of HiJackThis!
Run the results through http://www.hijackthis.de/index.php?langselect=english

Get AdAware, Spybot 1,3 and AVG Antivirus
Update all three but only run AVG

reboot into safe mode and then run AdAware and Spybot.
0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 1000 total points
ID: 12390696
many people at EE have lately come out against posting HJT logs in questions.  They prefer that you use HJT only as a last resort, and you self-diagnose it by running the online analyzer here:
http://ww.hijackthis.de/ 
and come here to post only about unknowns. That being said, you do have some viruses and adware on your computer.

I believe these to be bad and would fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// epihtbmqskudwyzibhl . com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

But before you fix them using HJT, you should run a few virus scans and spyware scans.  HJT is a last resort.  You seem to also be running the 180Solutions program.  It's here: C:\winnt\180solutions\saap.exe.  Kill the process immediately and delete the file.  This particular program is notoriously hard to get rid of.


***
Standard HJT Disclaimer-

The above items I say are bad because of any combination of the following:
-I am familiar with them as bad programs
-I cannot find anything on the web about them.
-Naming convention for executable seems to be random letters/numbers
-Naming convention for executable contains spaces (not common among professional programs)
-Registry Value is non-descript or simply the name of the executable

I encourage you to do any research on the above programs and concluding that they are unwanted before fixing them as entries.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question