1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spy program, not a worm

Discussion in 'Virus & Other Malware Removal' started by cres, Oct 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    I accidently downloaded a program that keeps installing all these different programs onto my computer. Some the computer won't let me uninstall. Most have files that you can't see even if you have have "show hidden files" on.

    It installs programs like: SuperBar, eXact, eZula, ClockSync, Bargain Buddy, Purity Scan, etc..

    If I start up in the command prompt I can delete all of these folders, along with:

    c:\Program Files\xerox\nwwia\
    and
    c:\Program Files\Microsoft frontpage\version3.0\bin\

    which I am unsure are even involved in this problem. But they all come back.

    I have even used ad-aware to quarantine all the programs, which has helped, yet two executables:

    Imr4fM.exe
    and
    atievxx.exe

    keep running when I start up, in fact they appear in task manager before WINLOGON.EXE, chronologically. If I search for the files, Windows XP can't find them - so I can't delete them. When I try to close them in Task Manager they either re-open, or install new programs, or open new executables. So I can't figure out how to get rid of them, or set up the computer to make sure it doesn't execute these files at the outset. In fact it even says that the program was called by me and not "SYSTEM".

    Can anyone help?
     
  2. MysticEyes

    MysticEyes Banned

    Joined:
    Mar 30, 2002
    Messages:
    4,825
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    c:\Program Files\xerox\nwwia\
    and
    c:\Program Files\Microsoft frontpage\version3.0\bin\

    are windows folders that cannot be deleted as are needed for some part of the operating system even though they normally remain empty at all times

    atievxx.exe is part of your graphics card drivers

    as to other problems

    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    OAKTASK.EXE is my external CD-Burner.

    Imr4fM.exe and Njw7.exe are suspicious and I don't know what realsched.exe is.

    Here is my log:

    Logfile of HijackThis v1.97.3
    Scan saved at 6:17:58 PM, on 10/10/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\Njw7.exe
    C:\WINDOWS\System32\Imr4fM.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\__deleteme\HijackThis.exe
    C:\WINDOWS\System32\svchost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.princeton.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\oo4.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BD8EB67E-0FAD-4A89-8218-C4E4E31486AA} - C:\WINDOWS\System32\vb5astkit.dll
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\System32\bpv1a.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
    O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [4WP9HH#4XJ96XS] C:\WINDOWS\System32\Ajh6ry6.exe
    O4 - HKLM\..\Run: [oo4] RunDLL32.EXE C:\WINDOWS\oo4.dll,DllRun
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\jgaffney\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .obj: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7210416667
    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/lsacd_xmlwebservices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    These entries are
    O4 - HKLM\..\Run: [4WP9HH#4XJ96XS] C:\WINDOWS\System32\Ajh6ry6.exe
    C:\WINDOWS\System32\Njw7.exe
    C:\WINDOWS\System32\Imr4fM.exe

    peper.a trojan
    the way to remove it is: either
    http://www.nod32.com/download/trial.htm
    or
    Download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then run a full system scan.

    You have got other prolems but get rid of that difficulkt to remove trojan first and we can fix the rest easily

    You aren't running an antivirus so the easiest way would be to use the NOD antivirus download
     
  6. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    Okay, I ran NOB32 and I have put my new log below. Access was denied to:

    C:\PAGEFILE.SYS
    and
    C:\hiberfil.sys

    I also now see two new folders:

    c:\undo\

    with a 559MB file called "BACKUP"

    and

    C:\FOUND.000\

    New computer is still running slow as crap - especially the file EXPLORER program, and on IE there is some wierd Search Toolbar which was never there before, plus Sidesearch is still and option on View-Explorer Bar.

    What do I need to do now to fix the other problems you noticed? By the way thanks a lot for your help, I can't believe how much of a problem this stupid program I downloaded has caused. No more softseek.com for me.

    Logfile of HijackThis v1.97.3
    Scan saved at 10:07:32 PM, on 10/10/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\__deleteme\HijackThis.exe
    C:\__deleteme\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.princeton.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\oo4.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BD8EB67E-0FAD-4A89-8218-C4E4E31486AA} - C:\WINDOWS\System32\vb5astkit.dll
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\System32\bpv1a.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
    O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [oo4] RunDLL32.EXE C:\WINDOWS\oo4.dll,DllRun
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\jgaffney\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .obj: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7210416667
    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/lsacd_xmlwebservices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. man1ac

    man1ac

    Joined:
    Oct 7, 2003
    Messages:
    18
    also fix these items on hijackthis:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
     
  8. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    OK, thanks. I did that and now here's my log, below. Is there anything else I should take care of while I'm doing this. I would like to eliminate all the garbage I don't need.

    Logfile of HijackThis v1.97.3
    Scan saved at 12:25:19 AM, on 10/11/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\__deleteme\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.princeton.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\oo4.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BD8EB67E-0FAD-4A89-8218-C4E4E31486AA} - C:\WINDOWS\System32\vb5astkit.dll
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\System32\bpv1a.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
    O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [oo4] RunDLL32.EXE C:\WINDOWS\oo4.dll,DllRun
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\jgaffney\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .obj: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7210416667
    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/lsacd_xmlwebservices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    Also if I remove:

    O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
    O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE

    Will that simply stop the program from loading automatically in the taskbar, or is it more complicated than that?
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    I wouldn't remove any of the oakstart entries otherwise you will have problems with and probably be unable to use the external cdrom

    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\oo4.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {BD8EB67E-0FAD-4A89-8218-C4E4E31486AA} - C:\WINDOWS\System32\vb5astkit.dll
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\System32\bpv1a.dll
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [oo4] RunDLL32.EXE C:\WINDOWS\oo4.dll,DllRun
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    then reboot & delete the following files or folders by using windows explorer and navigate to them then highlight the file/folder and press delete
    make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked
    C:\WINDOWS\System32\bpv1a.dll
    C:\WINDOWS\System32\btiein.dll
    C:\WINDOWS\oo4.dll
    C:\WINDOWS\System32\vb5astkit.dll
    C:\WINDOWS\System32\IEDriver\IEDriver.exe...(entire IEdriver folder)
    to fix the
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    Download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    and run the application.

    then to give the system a good clean out from other parasites and left over bits
    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de


    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then post a new hijackthis log to check what is left
     
  11. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    Okay I did what you said, but:

    a) the following files were not there are were unable to be deleted:
    - C:\WINDOWS\System32\bpv1a.dll
    - C:\WINDOWS\System32\btiein.dll
    - C:\WINDOWS\oo4.dll
    but the other two were removed.

    b) I ran lspfix.exe, clicked I know what I'm doing, but the only run buttom I saw was "FINISH". It said "REPAIRS MADE" but 0 files removed, added etc.. Did I do this right?

    c)Here is the log I got after I was finished, but before I reset the computer:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:05:25 AM, on 10/11/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\__deleteme\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tigernet.princeton.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
    O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\jgaffney\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .obj: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7210416667
    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/lsacd_xmlwebservices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    I have Kazaa Lite on my computer - should I delete that, I never use it and I heard it may have tracking stuff on it.

    Also what about the google toolbar, does this spy - should I get rid of it?
     
  13. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    One more thing - is there a way for me to get my OAK CD-BURNER off the taskmanager and not start up when the computer does, it doesn't seem to have a preference setting for this. What about AdAware - or am I better off having this run when the CPU starts up?
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    Most external cdburners don't work well if they aren't detected when windoze starts, despite the bumph alleging that you can hot link them via usb port and they will start .

    I have found that windoze frequently won't recognise them so Let them start up at boot.

    KAzaa lite is allegedgly spyware free and safe to use if you want that sort of thing

    Google toolbar is about the most useful thing invented and the minor allegations of it spying a re so minor that they should be ignored and keep it, I wouldn't be without it
     
  15. cres

    cres Thread Starter

    Joined:
    Oct 10, 2003
    Messages:
    28
    so are there any other problems in my log, or do things look like they're running alright again?

    Thanks again to everyone who helped me out with this, my computer was really screwed there for a while.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170987

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice