1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

adware keeps coming back - log attached

Discussion in 'Virus & Other Malware Removal' started by kwood, Oct 7, 2004.

Thread Status:
Not open for further replies.
  1. kwood

    kwood Thread Starter

    Joined:
    Oct 7, 2004
    Messages:
    1
    I run Spysweeper at least 2-3 times per day. Right after running it, my computer does seem to get a little faster but within no time at all - it is back to being slow. Spysweeper continually finds things such as WebRebates, TwainTech, Winad, Vesbiz Downloader, BargainBuddy, etc., but most often it comes back showing WildMedia. Below is a copy of my hijack this log. Any help you could give me would be greatly appreciated.
    Kelly
    Logfile of HijackThis v1.98.2
    Scan saved at 8:24:50 AM, on 10/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\lxamsp32.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\documents and settings\owner\local settings\temp\n1tKgyikn.exe
    C:\WINDOWS\System32\uydtpjx.exe
    C:\documents and settings\owner\local settings\temp\mS.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AOL COMPANION\COMPANION.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Zedd4Proj.clsUnoOne - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\System32\AANTX.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\XRh32Lst.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mxkd] C:\WINDOWS\mxkd.exe
    O4 - HKLM\..\Run: [wvmpifwf] C:\WINDOWS\wvmpifwf.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [peb] C:\WINDOWS\peb.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [n1tKgyikn] C:\documents and settings\owner\local settings\temp\n1tKgyikn.exe
    O4 - HKLM\..\Run: [iidhnejfhgj] C:\WINDOWS\System32\uydtpjx.exe
    O4 - HKLM\..\Run: [bgrubyr] C:\WINDOWS\bgrubyr.exe
    O4 - HKLM\..\Run: [mS] C:\documents and settings\owner\local settings\temp\mS.exe
    O4 - HKLM\..\Run: [wzstkt] C:\WINDOWS\wzstkt.exe
    O4 - HKLM\..\Run: [lwtah] C:\WINDOWS\lwtah.exe
    O4 - HKLM\..\Run: [w3tU3ph] clex5016.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
    O4 - HKLM\..\Run: [nsbqf] C:\WINDOWS\nsbqf.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [h028RfNse] deffdisk.exe
    O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{21C649A9-9D2A-4AC0-8C7B-0D105792584C}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{21C649A9-9D2A-4AC0-8C7B-0D105792584C}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS2\Services\Tcpip\..\{21C649A9-9D2A-4AC0-8C7B-0D105792584C}: NameServer = 205.188.146.146
     
  2. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Download and save these freeware/donationware programs to a permanent folder. Remember to check for updates and run them weekly.


    ***NOTE***A new version of Ad-aware has been released.


    ***ALSO***A new version of SpyBot's been released (v1.3...it's no longer in beta). If you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.


    Ad-aware SE download

    Configure Ad-aware


    First in the main window look in the bottom right corner and click on "Check for updates now." then click Connect and download the latest reference files.

    From the main window, click Start then under "Select a scan Mode " select "Perform full system scan.

    Next deselect "Search for negligible risk entries.

    Click the "Next" button.

    When the scan is finished mark everything for removal and get delete the selections. (Right-click within the window and choose "Select All" from the drop down menu and click Next)

    Restart your computer.


    SpyBot Search and Destroy download

    Open SpyBot.

    Click the button to "Search for Updates" Download and install the Updates.

    Next click "Check for Problems".

    Put a check mark beside the red entries.

    Choose "Fix Selected Problems" and allow Spybot to fix the red entries.



    I also highly recommend you install and update SpywareBlaster Click the link below, in my signature, to read a tutorial on the use of SpyWareBlaster.



    Run Ad-aware and Spybot in Safe Mode.

    How to start your computer in Safe Mode


    Re-start your computer into normal mode and post another HJT log in this thread.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/282003

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice