[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unwanted Web Page on Desktop, Popups and Processes Taking Over My System

Posted on 2004-11-27
21
Medium Priority
?
12,057 Views
Last Modified: 2011-10-03
(1) Unwanted Web Page on Desktop

"Warning     You're In Danger     All you do with computer is stored forever ..."
Properties shows the following file on my system: C:\Windows\desktop.html.  When deleted it returns on startup.

(2) Unwanted popups and processes, couple examples of many:
a.  "Computer Perforamance Software Advertisement     System Performance Info"
               http://adserver.sharewareonline.com/AdServer/MemTurbo/Adm/ad080504.htm

b. "Would you like to install the free trial version of the CPURocket . . . "


(3) Unwanted processes:   see report below


WHAT I'VE TRIED:

a. HiJackThis
b. Ad-Aware
c. CW Shredder
d. Stinger
e. Spybot
f. SpywareBlaster


HIJACK THIS REPORT:

Logfile of HijackThis v1.98.2
Scan saved at 7:33:34 PM, on 11/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\twink64.exe
C:\WINDOWS\System32\ezykahv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Steve\Application Data\osoa.exe
C:\WINDOWS\System32\r?ndll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\windos.exe
C:\Program Files\WebSiteViewer\124424.dlr
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\PROGRA~1\eZula\mmod.exe
C:\WINDOWS\System32\brods.exe
C:\WINDOWS\System32\q_emyd.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\Steve\My Documents\Backed Up\Computer\Hijack Help\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [kwgekpdlnbgjx] C:\WINDOWS\System32\ezykahv.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [t7oV3EP] q_emyd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Steve\Application Data\osoa.exe
O4 - HKCU\..\Run: [Sqtqvtl] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [cw79ROjEQ] brods.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


Appreciate any help you have to offer

-Tigershark


0
Comment
Question by:Tigershark-One
  • 3
  • 3
  • 2
  • +9
20 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 300 total points
ID: 12688351
Hello Tigershark-One =)

Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

Then Right clcik Desktop>Properties>Desktop>Costumize Desktop>Web and delete all the pages from here except the My Current Hompage.....apply!!

Now use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Turn off ur System Restore before cleaning the system >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of the removal tools one by one in safemode and delete everything they detect.
delete the offending files and folder manually from the hard drive and regedit
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
 
LVL 4

Expert Comment

by:rubiconx
ID: 12689260
Tigershark,

You don't have any virus software installed - This is really dangerous!!!
I have analysed the log (http://www.hijackthis.de/logfiles/f3083abc3399c5f04b8842703c0c63f9.html) and you have lots of bad entries.

I suggest at the very least you go to:

http://housecall.trendmicro.com/

This is the Trend Micro scanner which will get rid of the majority of rubbish.

After you have run the scanner, boot into safe mode (F8 during bootup) and rerun the ad-aware, spybot, etc programs.

Then run HijackThis again and post the log.

When all this is sorted I really recommend you get a quality Virus scanner!

Regards,

Dave
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 300 total points
ID: 12689367
Hi!

Before you attempt to fix anything:
download LSP Fix from -
http://www.cexx.org/lspfix.htm
Read the information file on it -
http://www.cexx.org/lspfix.txt

The following entries indicate the presence of {LookToMe / VX2}
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

You say you've run Ad-Aware -
get the VX2 Plug-in for Ad-Aware and run it.
It may remove VX2 from your computer.
Follow the good advice above - particularly, about getting an Anti-virus program!

Good luck!

RF
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:Rabba367
ID: 12693194
All answers that have been given are good - but they all take time.  I personally do not have the patience to run all the programs and untick everything.  My suggestion is to throw in the towel and reinstall windows because if you even leave a smidgen of the stuff that is on your computer - you will get reinfected super fast.  Next time however have a plan of action ready.  Certainly have a virus checker and a firewall - but in this instance none of that would help as you clicked on a file while in Windows Explorer and invited the programs in.  To prevent future happenings of this nature - change your browser to Firefox and disable Java and Javascript - this will cut down on your chances of getting malware tremendously.  Firefox can be obtained at http://www.mozilla.org/.

Next, after you have reinstalled Windows - before you ever touch an Internet Connection make a back-up copy of your system by using Ghost.  A freeware Ghost-like program can be found at http://www.partition-saving.com/.  Once you have a good copy of your system - if ever you get infected again - and chances are you will - just load your backup copy of the system in a few minutes and you are like new again!  

If you you have several partitions - i.e. C: D: E: etc move any files from the C: drive you need to save and then reformat and reinstall - being certain to make a backup copy for the future.  Realize people want to always fix things, but sometimes things take too long to fix when a simple reinstall will fix and be much faster with 100% guarantee of success.

CYA
0
 
LVL 1

Accepted Solution

by:
CharlyPhilly earned 900 total points
ID: 12697615
I know this is a long post but I don't think that you have to go thru the headache of reinstalling windows as that would take even more time reinstalling all of the necessary patches and updates.

You can download one program to clean your system and erase the hijackers, adware/spyware & BHOs and then you need to make sure that you install a good antivirus program and firewall.

      Firewall - http://smb.sygate.com/products/spf_standard.htm
      Firewall - http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Go to > www.giantcompany.com and download and run the AntiSpyware program (Do a full system scan). It contains a large database that will rid your system of everyday malware/spyware/crapware/etc. After the system is finished scanning, it will show you all of the infected files, registry keys and cookies infected. Check to remove all infected files and then another window will pop up asking you if you want to change any configurations to your internet browser if it was hijacked. One side will show you your current settings and the other side will show you the default settings. Change any suspicious sites to the default or to a site of your choosing.

Download and run the adult.reg & ieads.reg registry files from the iespyad.zip on https://netfiles.uiuc.edu/ehowes/www/res/ie-spyad.zip . This will add sites to your restricted zones to block ads that infect your computer.

Installing both SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) and SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html) will PREVENT Spyware from loading onto your computer.

***********************************************************************************

Here are some fixes but always make sure you are comfortable with deleting the files...
(I put question marks next 2 suspicious entries i could either find none or little info on)

~Delete your temporary internet files and delete cookies including offline.

~Uninstall any suspicious programs from Add/Remove programs

~(Start > Run > Regsvr32 msconf.dll) then Open MsConfig (Start > Run > Msconfig) and uncheck suspicious startup programs then click apply & restart later:
      C:\Documents and Settings\Steve\Application Data\osoa.exe
      C:\PROGRA~1\eZula\mmod.exe
      C:\PROGRA~1\WEBOFF~1\wo.exe
      C:\Program Files\AutoUpdate\AutoUpdate.exe
      C:\Program Files\CxtPls\CxtPls.exe
      C:\Program Files\SurfSideKick 2\Ssk.exe
      C:\Program Files\Web_Rebates\WebRebates0.exe
      C:\Program Files\Web_Rebates\WebRebates1.exe
      C:\WINDOWS\satmat.exe
      C:\WINDOWS\System32\bcmwltry.exe ?????R u running on a wireless network
      C:\WINDOWS\System32\brods.exe ?????
      C:\WINDOWS\System32\ezykahv.exe ?????
      C:\WINDOWS\System32\q_emyd.exe ?????
      C:\WINDOWS\System32\r?ndll32.exe
      C:\WINDOWS\System32\twink64.exe
      C:\WINDOWS\System32\windos.exe
      C:\WINDOWS\wupdt.exe

~Delete the following registry keys (on the right hand pane)& any other suspicious entries:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [satmat] C:\WINDOWS\satmat.exe
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [kwgekpdlnbgjx] C:\WINDOWS\System32\ezykahv.exe  ?????
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [t7oV3EP] q_emyd.exe ?????
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [Ncao] C:\Documents and Settings\Steve\Application Data\osoa.exe
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [Sqtqvtl] C:\WINDOWS\System32\r?ndll32.exe
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [cw79ROjEQ] brods.exe  ????
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

~Stop the following processes (right -click and end process tree on the processes tab in TaskManager)& any other suspicious:
      C:\Documents and Settings\Steve\Application Data\osoa.exe
      C:\PROGRA~1\eZula\mmod.exe
      C:\PROGRA~1\WEBOFF~1\wo.exe
      C:\Program Files\AutoUpdate\AutoUpdate.exe
      C:\Program Files\CxtPls\CxtPls.exe
      C:\Program Files\SurfSideKick 2\Ssk.exe
      C:\Program Files\Web_Rebates\WebRebates0.exe
      C:\Program Files\Web_Rebates\WebRebates1.exe
      C:\WINDOWS\satmat.exe
      C:\WINDOWS\System32\bcmwltry.exe ???R u running on a wireless network
      C:\WINDOWS\System32\brods.exe      ?????
      C:\WINDOWS\System32\q_emyd.exe      ?????
      C:\WINDOWS\System32\ezykahv.exe  ?????
      C:\WINDOWS\System32\r?ndll32.exe
      C:\WINDOWS\System32\twink64.exe
      C:\WINDOWS\System32\windos.exe
      C:\WINDOWS\wupdt.exe

~Delete the following files/folders:
      C:\Program Files\Web_Rebates\
      C:\Program Files\Ezula\
      C:\Program Files\WebOffers\
      C:\Program Files\CXtPls\
      C:\Program Files\AutoUpdate\
      C:\Program Files\SurfSideKick 2\
      C:\Documents and Settings\Steve\Application Data\osoa.exe
      C:\WINDOWS\satmat.exe
      C:\WINDOWS\wupdt.exe
      C:\WINDOWS\System32\r?ndll32.exe
      C:\WINDOWS\System32\brods.exe      ?????
      C:\WINDOWS\System32\q_emyd.exe      ?????
      C:\WINDOWS\System32\twink64.exe
      C:\WINDOWS\System32\ezykahv.exe  ?????
      C:\WINDOWS\System32\bcmwltry.exe ???R u running on a wireless network

~Delete the following from your trusted Zones and add to restricted zones:
      *.blazefind.com
      *.clickspring.net
      *.crazywinnings.com
      *.flingstone.com
      *.mt-download.com
      *.my-internet.info
      *.searchbarcash.com
      *.searchmiracle.com
      *.skoobidoo.com
      *.slotch.com

I hope all of this helps. ~Charly
0
 
LVL 4

Expert Comment

by:Rabba367
ID: 12700045
Again, just my thoughts on this of course - but digging through the registry, deleting files, etc. will take forever and if you miss something - you will still be infected.   It is better to have a one-time headache of ensuring you have a clean copy of windows fully installed and Ghostable - so that you can just reload the OS in the future.  It takes about 7 minutes to bring a Ghost copy back to life - whereas it takes forever to talk about the latest threat.   I have my computer scheduled to reghost itself every night, so that in the morning I have a fresh OS.  Just makes more sense to me in terms of time.
0
 
LVL 1

Expert Comment

by:CharlyPhilly
ID: 12704378
I'm not saying it's not a good idea, please don't think I'm badmouthing you Rabba. I just feel you learn more when you fix things, that way if something was to come up n the future, you know what signs to look for. Especially since hacks are getting worse and will eventually leak to the other partitions (if they haven't already).
0
 

Author Comment

by:Tigershark-One
ID: 12780460
All,

Thank you for the helpful suggestions.  My problems appear to have been largely solved by using Giant's antispyware software, LSPFix, HiJackThis in conjuction with other tools, and anti-virus software (McAfee)

A few questions, mainly for CharlyPhilly.  You wrote  "Download and run the adult.reg & ieads.reg registry files from the iespyad.zip on https://netfiles.uiuc.edu/ehowes/www/res/ie-spyad.zip . This will add sites to your restricted zones to block ads that infect your computer.

Installing both SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) and SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html) will PREVENT Spyware from loading onto your computer."

Questions:
1. How comprehensive are the restricted site list from netfiles.uiuc.edu?
2. Seems like the list would become obsolete quickly?  Is there a need to frequently update?
3. Giant's antispyware seems to block spyware from loading.  What does SpywareBlaster and SpywareGuard do that Giant's software and McAfee's antivirus softare do not (McAfee's antivirus claims to block spyware)?
4. Finally, how do I know that I'm COMPLETELY free of spyware, malware  (the HiJackThis log evaluator still shows some entries as questionable ... the "016"s ... see log below)

Here's my HiJackThis log now:

Logfile of HijackThis v1.98.2
Scan saved at 12:06:00 AM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Steve\My Documents\Backed Up\Computer\Hijack Help\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\DOCUME~1\Steve\LOCALS~1\Temp\2004128212416_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [cw79ROjEQ] iyuemsp.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab


Tigershark-One



0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12784623
your log seems to be fine..... just Fix these two entries,

O4 - HKLM\..\Run: [CleanUp] C:\DOCUME~1\Steve\LOCALS~1\Temp\2004128212416_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [cw79ROjEQ] iyuemsp.exe

and after a restart, delete these two files if they are present on your system.... infact delete all the files present in C:\Documents and Settings\Steve\Local Settings\Temp folder !!
0
 
LVL 1

Expert Comment

by:CharlyPhilly
ID: 12785176
Giant AntiSpyware takes advantage of real-time security for any spyware/adware within their database, but I had you download the trial version which only lasts for like 15 days. If you purchased it then that is great. I use Giant in conjunction with Symantec Client Security AntiVirus & Firewall and have very restrictive settings. I will be installing both SpywareBlaster and SpywareGuard as soon as I get internet at home.

You can never go wrong with extra protection. The restricted sites lists are added to your internet explorer to help fight against drive-by activeX downloads. It's updated once in a while. You can download the files, right-click and edit the reg files to view the contents. With Loading the SpywareBlaster and SpywareGuard, it's just that extra step. No Spyware/Adware database is perfect. I just use Giants because it is larger. Those other two programs may find something faster than Giant and vice-versa. Giant has an extra hand up because it has that spynet community. So when new threats pop-up, you automatically get protected because they have folks workin night and day on ways to fight this madness.

Lastly, You should go ahead and delete those last O16's they are unnecessary and hog resources. Also, use the file shredder when you delete these files. It makes them unrecoverable.
0
 
LVL 7

Expert Comment

by:ashishjvw
ID: 12901086
i suggest you take backup then format the pc.

1)install anti virus ad adware apps in advance
2)keep definitions updated
3)dont visit unknown porn sites.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 12934669
Try Pestpatrol.. either the older version (company was recently bought by CA) or the newer one EZ Pestpatrol. Most freeware versions have no database refer to. And most do not do auto updating of the definitions (like anitvirus programs are supposed to do) . You can try it out by going to : http://store.ca.com/dr/v2/ec_main.entry25?page=PestPatrolprodpage&client=ComputerAssociates&sid=35715 
and do the free spyware scan
0
 

Expert Comment

by:Cfarge
ID: 12991035
Agreed with ashishjvw, if all else fails, format.  Malware sucks.  I'd recommend installing SpywareBlaster as soon as you install a fresh OS, as its only purpose is to prevent malware, not repair infected files on your computer.
0
 

Expert Comment

by:bkdar
ID: 12999371
I ran across this problem and even after you run the spyware tools and such, it might try to stay there.

If you go to Display Properties - Desktop- Customize Desktop - Web You will be able to kill any web wallpaper that stupid spyware might create. This along with a spyware cleaner fixed my issue.

Brian
0
 

Expert Comment

by:painwarlord
ID: 13792480
Thr best thing to do is to stop using Spyware scanner that are passive and start workning with End point security products that are more Proactive and prevent spyware from infecting your compuer ...i will suggest trying to check Trustware Antimalware or Prevx ...

Remember that Prevention is the best Cure

Regards
Painwarlord
0
 

Expert Comment

by:Captain_Spyware
ID: 13863150
Tigershark-One,

In all my time fighting spyware on some of the dedicated anti-spyware forums, I've never seen Microsoft Anti-Spyware remove a Look2Me infection. Even though your 'outdated' version of HijackThis is 'relatively' clean compared to what it started as, this infection will still be very much alive and kicking inside your machine and downloading further nasty dll files every time you hook up to the net. There's only one program that effectively removes this infection and clears up the mess it leaves and that is L2mfix.

You should also be aware that this infection is a magnet for further malware and needs to be removed asap.

Download L2mfix from one of these two locations:

[url]http://www.atribune.org/downloads/l2mfix.exe[/url]
[url]http://www.downloads.subratam.org/l2mfix.exe[/url]

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option 1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

As a side note, I suggest you ignore all recommendations to use HijackThis Analysers unless you know what you're doing. They're unreliable and often miss malware. Not to mention flagging legit entries for removal. Once Look2Me is removed, we'll clean the rest up.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13863998
What - not use the (or any) HijackThis Analyzers -
they tell you "exactly" what to fix - they're "infallible" -
they know "exactly" what to fix - Don't they??
Ask some of the
"Experts" here!
RF
I love gum!
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 13866060
So I download this no name piece of software, install it and run a batch file? then its supposed to tell me how to uninstall the malware/spyware manually after running in the background for several minutes? So a window pops up and tells me I have a problem? Funny... sounds familiar.  
I do not want any of my customers downloading freeware, installing and running a piece of software that only tells them, they have a problem and how to fix it.  That sounds like some of the malware/spyware they are trying to remove.
Take a well known software package, such as eTrust  and/or Symantec and stop beating this horse to death. No one has the perfect solution. Symantec knows they dropped the ball on spyware, but they are working very hard to make up for that mistake. NAV 2005 has spyware removal capabilites now and the new Corporate edition looks promising. eTrust Pestpatrol has to be run periodically to remove the spyware because the front end engine cannot keep up with new entries into their already large database (very much like virus definitions).
Then run something like Registry Mechanic (registered of course) and get rid of the rest of the 'stuff' left behind by the malware/spyware. I have no way of finding all the right entries in the CurrentControlSet, or removing invalid entries in the Add/Remove programs. I am not going to go brain dead stepping through removing every dll, every registry entry and every exe (bat or com) that is either left behind or purposely installed by some outside influence.
Its worth the few bucks to have a stable and clean system.
My two cents worth.
0
 

Expert Comment

by:Captain_Spyware
ID: 13867913
Wolfhere,

With all due respect, a quick google search of 'L2MFix' will lead you to some of the most dedicated anti-spyware forums in the land. But of course I understand if you prefer to stick to the 'Trusted' well known products and eventually format your customers computers. L2M caused havoc for several months on the anti-spyware forums until this 'no name' tool was unveiled. I suggest you research properley before pitching in on a topic you clearly know nothing about.

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13868049
Hi!

The only reason anyone at Experts-Exchange is directed to
run their HijackThis log through the Automatic Analysis site is here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

It's not really considered a "Rule" - more of a policy or guideline.
Even members here that don't want or like seeing HJT logs posted -
realize that seeing them is frequently, necessary.

Here's the discussion that brought this about:
http://www.experts-exchange.com/Community_Support/Expert_Input/Q_21129167.html

(I really like spywareinfo (dot) com myself!)  :)

RF

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question