1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ad Ware Pop up, Internet so slow

Discussion in 'Web & Email' started by slimpeach, Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. slimpeach

    slimpeach Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    2
    I have been having a terrible time with my internet. It barely works and sometimes does not work at all. I usually get an ad pop up that says either "ad ware" or it will go to http://69.20.56.3/yyy10.html. When I open Explorer, my homepage will be "About blank".

    I'm not very technical but I have scanned with Adaware, CWshredder, and Spybot and am still having problems. Its seems everytime I do an adaware scan new items are found.

    I downloaded hijack this, below is my log. Any help would be greatly appreciated. Thanks!

    Melissa


    Logfile of HijackThis v1.98.2
    Scan saved at 8:24:29 PM, on 9/4/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\documents and settings\sara moran\local settings\temp\oZ.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Melissa Moran\Desktop\HijackThis.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 69.20.16.183 #eautosearch
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 6.exe
    O4 - HKLM\..\Run: [GjNFke] C:\documents and settings\sara moran\local settings\temp\GjNFke.exe
    O4 - HKLM\..\Run: [oZ] C:\documents and settings\sara moran\local settings\temp\oZ.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Rydo84km.exe
    O4 - HKLM\..\Run: [x3nX37O] wiackbox.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...DHTML_US_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Until someone has time to get through the HJT log>
    do these things to get ready and sit tight. Is there another pc you can reach TSG with? It might be a good idea to use the bad one as little as possible on the Net now, but if it's all you have, so be it.


    NEXT:

    Download this and run it, from the desktop is fine>

    http://www.spychecker.com/program/winsockxpfix.html

    Download this and do NOT use it, yet> just make a new folder on your desktop, name it CWS or download to a folder like My Downloads...a permanent folder, not a temp directory...I use C:\Desktop\CWS

    http://www.lurkhere.com/~nicefiles/

    Get the CWSHredder.exe file> it's for later.


    THEN:

    First, download and run this Peper trojan uninstaller, making sure you're online while running it!:
    Peper-uninstaller
    Next download this uninstaller and run it.
    When this is done, run adaware...
    Now, reboot and tap f8 frequently during bootup to go into safe mode and run that last uninstaller and adaware again to fully remove the remanents...
    Reboot normally...

    Then restart to Safe Mode again. (tap F8 several times etc)


    In safe mode
    Set Windows to show hidden files and folder
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Click Yes to confirm.
    * Click OK.

    Navigate to your Temp folders and delete the whole contents including subfolder, or whatever you can, but DON'T delete the Temp directories (folders)
    themselves::

    # C:\Windows\Temp\
    # C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\
    # C:\Documents and Settings\administrator\Local Settings\Temp\
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\





    THEN: run HJT and fix the following entries, you may not see all of them...no problem, just find what I list. There may be more that appear in your next log, there is nothing we can do about that right now.



    C:\documents and settings\sara moran\local settings\temp\oZ.exe

    C:\WINDOWS\system32\pcs\pcsvc.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 69.20.16.183 #eautosearch

    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll


    O4 - HKLM\..\Run: [GjNFke] C:\documents and settings\sara moran\local settings\temp\GjNFke.exe

    O4 - HKLM\..\Run: [oZ] C:\documents and settings\sara moran\local settings\temp\oZ.exe

    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL]
    C:\WINDOWS\System32\Rydo84km.exe

    O4 - HKLM\..\Run: [x3nX37O] wiackbox.exe

    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

    If any LSP items (lspak) items appear do not fix them just yet, but I do not think they will be there....

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US


    NEXT: Open Windows Explorer, and find and delete all these FILES---> those at the end of the lines: again, might not all be found, no problem...

    C:\documents and settings\sara moran\local settings\temp\oZ.exe

    C:\WINDOWS\system32\pcs\pcsvc.exe

    C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll
    GjNFke.exe
    C:\WINDOWS\System32\Rydo84km.exe

    C:\Program Files\VBouncer\BundleOuter.EXE

    C:\WINDOWS\System32\ms.exe

    And delete these folders:

    C:\Program Files\VBouncer<---this folder

    C:\WINDOWS\system32\pcs<---this one too

    Empty the Recycle Bin again....


    Post a new HJT log.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi slimpeach How are you doing with this? Can you get back to TSG forums on that computer? If you cannot could you copy an Hijackthis log from the bad machine to a floppy disk or something and take it to a computer and get the log posted here?
     
  4. slimpeach

    slimpeach Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    2
    Byteman, thanks so much for all of your time and help. I was able to follow the instructions that you gave me, however the next day my sister's friend ended up reloading windows onto our computer and it appears to be working now. Thanks again for all of your help!
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry you had to do that- was something not working right? I can take the hit....did we break something?
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271356

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice