1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hidden Weasel-Ware

Discussion in 'Virus & Other Malware Removal' started by aeuzent, Feb 7, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. aeuzent

    aeuzent Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    108
    Ok I've got a couple of obnoxious ad programs that have weaseled their way onto my system. I don't know where or how but they've screwed up more than a few security programs and allowed more friends in. I got rid of the bulk of them but there are still a few who wont go. They wont show up on Ad-Aware or Spybot but I can find them in the Add/Remove Programs menu.

    The evil one's are:
    Home Search Assistant
    Search Extender
    and
    Shopping Wizard

    The unisntall programs are bogus and only create more holes. I can't find them on the hard drive and have combed through it a couple times.

    And because I know how you guys love it here's a HijackThis log

    ------------------------------------------------------------

    Logfile of HijackThis v1.99.0
    Scan saved at 10:15:41 PM, on 2/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\system32\netzo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\mqtgsvc.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\WINNT\system32\winwo.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\RUNDLL32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Gaim\gaim.exe
    C:\Program Files\POP Peeper\POPPeeper.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53F522CD-B9B6-DFCE-5E2C-ABEE2ED45430} - C:\WINNT\ipvs32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19

    "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE

    /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe"

    /StartupJobs
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail

    Notifier\gnotify.exe
    O4 - HKLM\..\Run: [winwo.exe] C:\WINNT\system32\winwo.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
    O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
    O4 - Startup: YahooPOPs.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

    7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105241559142
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

    C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton

    SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend

    Micro\Internet Security\PccPfw.exe
    O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~1\SPEEDD~1\SIREGSRV.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend

    Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend

    Micro\Internet Security\tmproxy.exe
     
  2. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    Go to Windows Updates and download all critical updates except SP2

    Update SpyBOt and AD-Aware SE here and another scan
    http://forums.techguy.org/t110854.html

    Do a scan with Housecall and Panda

    Reboot and post another log here please
     
  3. aeuzent

    aeuzent Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    108
    Yeah I stay ontop of that regularly. And I already have SP2 and I'm not formatting over this. I'll live with it before I do that.
     
  4. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    Hi aeuzent You should get SP1
     
  5. aeuzent

    aeuzent Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    108
    Yeah I have SP1 and SP2
    I already tried Ad-Aware and Spybot
    In fact this crap screwed up the Spybot install and I had to fix that
    I use PC-Cillin for anti-virus

    So since I have all of that well in hand what I need now is an alternative way to remove those ad programs
     
  6. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    SP1 is not showing in your log . Perhaps reboot and post another log here please
     
  7. aeuzent

    aeuzent Thread Starter

    Joined:
    Jan 16, 2005
    Messages:
    108
    Logfile of HijackThis v1.99.0
    Scan saved at 12:48:48 AM, on 2/8/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\mqtgsvc.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\WINNT\system32\winwo.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\RUNDLL32.EXE
    C:\WINNT\system32\netzo.exe
    C:\Program Files\Gaim\gaim.exe
    C:\Program Files\POP Peeper\POPPeeper.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\WINNT\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53F522CD-B9B6-DFCE-5E2C-ABEE2ED45430} - C:\WINNT\ipvs32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [winwo.exe] C:\WINNT\system32\winwo.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
    O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
    O4 - Startup: YahooPOPs.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105241559142
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~1\SPEEDD~1\SIREGSRV.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
     
  8. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    R3 - Default URLSearchHook is missing
    Close all windows except Hijack This

    Place a check beside this and have Hijack This " Fix Checked "

    Reboot and post another log here please
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327981

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice