Ad Ware Pop up, Internet so slow

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

slimpeach

Thread Starter
Joined
Sep 7, 2004
Messages
2
I have been having a terrible time with my internet. It barely works and sometimes does not work at all. I usually get an ad pop up that says either "ad ware" or it will go to http://69.20.56.3/yyy10.html. When I open Explorer, my homepage will be "About blank".

I'm not very technical but I have scanned with Adaware, CWshredder, and Spybot and am still having problems. Its seems everytime I do an adaware scan new items are found.

I downloaded hijack this, below is my log. Any help would be greatly appreciated. Thanks!

Melissa


Logfile of HijackThis v1.98.2
Scan saved at 8:24:29 PM, on 9/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\documents and settings\sara moran\local settings\temp\oZ.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Melissa Moran\Desktop\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 #eautosearch
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 6.exe
O4 - HKLM\..\Run: [GjNFke] C:\documents and settings\sara moran\local settings\temp\GjNFke.exe
O4 - HKLM\..\Run: [oZ] C:\documents and settings\sara moran\local settings\temp\oZ.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Rydo84km.exe
O4 - HKLM\..\Run: [x3nX37O] wiackbox.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...DHTML_US_XP.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Until someone has time to get through the HJT log>
do these things to get ready and sit tight. Is there another pc you can reach TSG with? It might be a good idea to use the bad one as little as possible on the Net now, but if it's all you have, so be it.


NEXT:

Download this and run it, from the desktop is fine>

http://www.spychecker.com/program/winsockxpfix.html

Download this and do NOT use it, yet> just make a new folder on your desktop, name it CWS or download to a folder like My Downloads...a permanent folder, not a temp directory...I use C:\Desktop\CWS

http://www.lurkhere.com/~nicefiles/

Get the CWSHredder.exe file> it's for later.


THEN:

First, download and run this Peper trojan uninstaller, making sure you're online while running it!:
Peper-uninstaller
Next download this uninstaller and run it.
When this is done, run adaware...
Now, reboot and tap f8 frequently during bootup to go into safe mode and run that last uninstaller and adaware again to fully remove the remanents...
Reboot normally...

Then restart to Safe Mode again. (tap F8 several times etc)


In safe mode
Set Windows to show hidden files and folder
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Click Yes to confirm.
* Click OK.

Navigate to your Temp folders and delete the whole contents including subfolder, or whatever you can, but DON'T delete the Temp directories (folders)
themselves::

# C:\Windows\Temp\
# C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\administrator\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\





THEN: run HJT and fix the following entries, you may not see all of them...no problem, just find what I list. There may be more that appear in your next log, there is nothing we can do about that right now.



C:\documents and settings\sara moran\local settings\temp\oZ.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: 69.20.16.183 #eautosearch

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll


O4 - HKLM\..\Run: [GjNFke] C:\documents and settings\sara moran\local settings\temp\GjNFke.exe

O4 - HKLM\..\Run: [oZ] C:\documents and settings\sara moran\local settings\temp\oZ.exe

O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL]
C:\WINDOWS\System32\Rydo84km.exe

O4 - HKLM\..\Run: [x3nX37O] wiackbox.exe

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

If any LSP items (lspak) items appear do not fix them just yet, but I do not think they will be there....

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/d_a_loader.cab

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US


NEXT: Open Windows Explorer, and find and delete all these FILES---> those at the end of the lines: again, might not all be found, no problem...

C:\documents and settings\sara moran\local settings\temp\oZ.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Documents and Settings\Melissa Moran\Local Settings\Temp\jLFB.dll
GjNFke.exe
C:\WINDOWS\System32\Rydo84km.exe

C:\Program Files\VBouncer\BundleOuter.EXE

C:\WINDOWS\System32\ms.exe

And delete these folders:

C:\Program Files\VBouncer<---this folder

C:\WINDOWS\system32\pcs<---this one too

Empty the Recycle Bin again....


Post a new HJT log.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi slimpeach How are you doing with this? Can you get back to TSG forums on that computer? If you cannot could you copy an Hijackthis log from the bad machine to a floppy disk or something and take it to a computer and get the log posted here?
 

slimpeach

Thread Starter
Joined
Sep 7, 2004
Messages
2
Byteman, thanks so much for all of your time and help. I was able to follow the instructions that you gave me, however the next day my sister's friend ended up reloading windows onto our computer and it appears to be working now. Thanks again for all of your help!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Sorry you had to do that- was something not working right? I can take the hit....did we break something?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top