1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I've got problems with http://mypoiskovik.com/index.htm

Discussion in 'Virus & Other Malware Removal' started by nakedwood, Jun 3, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    I've been hijacked by this site: http://mypoiskovik.com/index.htm

    I've tried everything; AdAware6 and SpybotS+D as well as HJT and Norton Antivirus. No matter how many times I try it keeps coming back.

    When I try to uninstall it using the instructions on their page: http://mypoiskovik.com/help.htm

    I'm not allowed to download it because I get an error during the download.

    I could have many problems besides this as I continually get popups.

    My email even seems to be affected because I've noticed certain words have been hi-lighted in bold and are now LINKED to more damned popups.

    I"ve had problems like this before and was able to solve them but this time I'm stumped. Please help.

    Jerry
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi nakedwood

    Welcome to TSG! :)

    Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    Here is the logfile.

    I have to be honest. I tried to fix this by deleting some stuff. I hope I didn't make things worse by doing that. :(

    Anyway, the crappy mypois.... website is back. Damnit.

    Any help would be appreciated.

    Jerry

    Logfile of HijackThis v1.97.7
    Scan saved at 11:44:33 AM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\WINDOWS\SM1BG.EXE
    C:\documents and settings\owner\local settings\temp\u8.exe
    C:\WINDOWS\System32\qgxsre.exe
    C:\WINDOWS\System32\cmccoi08.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Owner\Application Data\eber.exe
    C:\WINDOWS\System32\wnsapisv.exe
    C:\Program Files\Internet Explorer\IEengine.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\Etz3Gao2.exe
    C:\WINDOWS\System32\Alw1R.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [u8] C:\documents and settings\owner\local settings\temp\u8.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Hst0W6xh.exe
    O4 - HKLM\..\Run: [ailydvgl] C:\WINDOWS\System32\qgxsre.exe
    O4 - HKLM\..\Run: [qs6O3pj] cmccoi08.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You have several problems there. Please do the following first and then post another Hijack This log. This won't get rid of all of it, but it's a start:

    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.


    First download and run This uninstaller:

    http://experts.spywareinfo.com/pieter/uninst.exe

    *Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.


    Next, use the following tool to delete the files themselves:

    http://mjc1.com/files/mo/drpepertobackup.exe
    Download it, it will self extract to c:\.

    Restart to safe mode.

    How to start your computer in safe mode

    Before you boot to safe mode you should copy these instructions to notepad and have them on the desktop.


    In safe mode Navigate to:

    C:\drpeper\Find backup and Delete Peper files.vbs

    Doubleclick the....... Find backup and Delete Peper files.vbs file

    *Note: If your Antivirus is running a scriptblocker, when you run the .vbs file, you will recieve an alert warning you that the script is running. "Allow" the script to run.

    On the first prompt copy and paste:

    Etz3Gao2.exe

    And hit ok.

    On the second, paste:

    Hst0W6xh.exe

    And hit ok.


    It will find all the peper files and delete them. Also it makes backups in the same folder.
    It will open a text file (Peper.txt) with a list of all files deleted.

    When finished go to the C:\drpeper folder and locate the peper.txt file. Copy and paste the list from the Peper.txt file here , along with another Hijack This log.
     
  5. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    O.k..

    I've run CWShredder several times before but I did it again. When it was done and I opened up an Explorer window, it had about:blank in the address bar and nothing in the window.

    I then restarted my computer. It was very slow to shut down because of a bunch of processes that wouldn't shut down. They all ended in WIN.

    Once the computer finally restarted it was very slow to come alive and the first thing that happened was I got an error message that said Invalid Back Web Application ID "1940576". It gave me the option "ok" or the "x" to close the window. I said "ok".

    Then it took a really long time (3 minutes) for me to be able to open up a browser. When it opened, I had that crappy mypois... web search engine as my home page again.

    When I tried to click on the link to the second of your steps, which will download an unistaller, I get an error that I can either report to Microsoft or not by selecting "send error report" of "don't send". This has happened before during this episode. It's almost as if whatever insidious problem I'm having is cutting me off at the pass before I can get help.

    Any suggestions?

    Jerry
     
  6. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    So, as I've been waiting for your reply, sporadic popups happen. But not too often. It seems as if it needs to have me doing stuff to prompt their appearance.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're supposed to post another Hijack This log and a peper.txt file. :rolleyes:
     
  8. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    I guess I'm gonna sound stupid here.

    I don't know how to find the peper.txt file.

    Doh!!!!

    :eek:

    Can you point me in the right direction?

    JM
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Well you don't have a peper.txt file since you didn't complete the steps to get rid of the peper trojan. Try that again please. ie... this:

    First download and run This uninstaller:

    http://experts.spywareinfo.com/pieter/uninst.exe

    *Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.


    Next, use the following tool to delete the files themselves:

    http://mjc1.com/files/mo/drpepertobackup.exe
    Download it, it will self extract to c:\.

    Restart to safe mode.

    How to start your computer in safe mode

    Before you boot to safe mode you should copy these instructions to notepad and have them on the desktop.


    In safe mode Navigate to:

    C:\drpeper\Find backup and Delete Peper files.vbs

    Doubleclick the....... Find backup and Delete Peper files.vbs file

    *Note: If your Antivirus is running a scriptblocker, when you run the .vbs file, you will recieve an alert warning you that the script is running. "Allow" the script to run.

    On the first prompt copy and paste:

    Etz3Gao2.exe

    And hit ok.

    On the second, paste:

    Hst0W6xh.exe

    And hit ok.


    It will find all the peper files and delete them. Also it makes backups in the same folder.
    It will open a text file (Peper.txt) with a list of all files deleted.

    When finished go to the C:\drpeper folder and locate the peper.txt file. Copy and paste the list from the Peper.txt file here , along with another Hijack This log.
     
  10. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    Whenever I try to download the uninstaller I get stonewalled.

    Should I try the other steps without performing the first?
     
  11. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    Here is the message that I get from Microsoft about why I'm getting the error message.

    Analysis Information

    Thank you for submitting an error report. The error was likely caused by:

    KeenValue or eUniverse

    KeenValue or eUniverse was created by eUniverse.com Inc.. For information that may help you prevent this problem from reoccurring, click on the link below.

    http://www.pestpatrol.com/mseuniversesupport.asp

    If the problem persists, please contact eUniverse.com Inc. and alert them of the problem.
     
  12. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    I actually just tried to use the second link and encountered the same Internet Explorer error message.

    But here's the latest HJThis file:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:39:01 PM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\WINDOWS\SM1BG.EXE
    C:\documents and settings\owner\local settings\temp\u8.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\qgxsre.exe
    C:\WINDOWS\System32\cmccoi08.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Documents and Settings\Owner\Application Data\eber.exe
    C:\WINDOWS\System32\wnsapisv.exe
    C:\Program Files\Internet Explorer\IEengine.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\WINDOWS\System32\Alw1R.exe
    C:\WINDOWS\System32\TktBUA.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [u8] C:\documents and settings\owner\local settings\temp\u8.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Hst0W6xh.exe
    O4 - HKLM\..\Run: [ailydvgl] C:\WINDOWS\System32\qgxsre.exe
    O4 - HKLM\..\Run: [qs6O3pj] cmccoi08.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Well let's try fixing as much as we can and then see if it will get you straightened out enough to download the rest,

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    O4 - HKLM\..\Run: [u8] C:\documents and settings\owner\local settings\temp\u8.exe

    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

    O4 - HKLM\..\Run: [ailydvgl] C:\WINDOWS\System32\qgxsre.exe

    O4 - HKLM\..\Run: [qs6O3pj] cmccoi08.exe

    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe

    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\Program Files\SysAI folder
    The C:\Program Files\Common files\updmgr folder
    The C:\Program Files\Common Files\Dpi folder
    The C:\Program Files\Internet Explorer\IEengine.exe file
    The C:\WINDOWS\System32\IEHost.exe file
    The C:\WINDOWS\System32\qgxsre.exe file
    The C:\WINDOWS\System32\cmccoi08.exe file
    The C:\WINDOWS\system32\pcs folder
    The C:\WINDOWS\System32\wnsapisv.exe file
    The C:\Documents and Settings\Owner\Application Data\eber.exe file

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Owner\Local Stiings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.


    Go here and download Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Then go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.

    Come back here and post another Hijack This log and we'll see if we can get rid of the peper trojan.
     
  14. nakedwood

    nakedwood Thread Starter

    Joined:
    Jun 3, 2004
    Messages:
    75
    Hello again,

    Well I just got through performing all of the tasks you set me on and the computer seems to be running much better.

    Here is the HJT log;

    Logfile of HijackThis v1.97.7
    Scan saved at 11:42:14 PM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [yzszvb] C:\WINDOWS\System32\qgxsre.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab


    I am still getting that runner error at startup that tells me I have had an Invalid Back Web Application id "1940576"

    Let me know what I need to do next when you get a moment.

    Thanks so much for all the advice up to now and in advance for what's to come.

    Jerry
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There was a new version of CWShredder released yesterday so Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/235329

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice