Spyware, lsp break, and dead puppies make me cry

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
Good Morning,
One of my students brought me her computer and it has a wee problem. She cannot get internet explorer to come online, but I ran adaware and was able to get an update, so there is a link there. Bunch of stuff on adaware, I'll remove it later, but one of the things was an lsp error, along with your general browser hijacks, data miners, etc. If someone, and by the lloks of whose on line I'll guess Derek, sould look over the HJT log and let me know what I need to fix, I would appreciate it. And yes, I know that http://server224.smartbotpro.net/7search/?hkcu shouldn't be there. Thats a fun little bugger. I went to the link to check it out and AVG caught it immediately as the startpage virus.
Andrew
Logfile of HijackThis v1.97.7
Scan saved at 8:31:37 AM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EWARE\IWARE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://bn.my.yahoo.com/"); (C:\Program Files\Netscape\Users\paco\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SHEXTW] C:\WINDOWS\SYSTEM\SHEXTW.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: NetZero.lnk = C:\Program Files\NetZero\nzStart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://netzero.looksmart.com/r?ijl&panel=netzero
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
 
Joined
Aug 18, 2003
Messages
2,438
Ad-Aware should have killed BookedSpace ... perhaps a new variant?

Aaron would enjoy a copy of this:

C:\WINDOWS\BXXS5.DLL

Any idea what this one is?

O4 - HKLM\..\Run: [SHEXTW] C:\WINDOWS\SYSTEM\SHEXTW.exe
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
Hey Win, how and where should I send the file? And what do you think it is? If its valuable, can I sell it on E-Bay?:D
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
OK, I can now get the machine to go online, so I think we are approaching the end. Lets give this a quick glance, clean it, and close the thread!(y)
I still need to know how and where to send the file to Aaron, and who ever else wants the file.
Andrew
Logfile of HijackThis v1.97.7
Scan saved at 9:49:54 AM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EWARE\IWARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://bn.my.yahoo.com/"); (C:\Program Files\Netscape\Users\paco\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: NetZero.lnk = C:\Program Files\NetZero\nzStart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://netzero.looksmart.com/r?ijl&panel=netzero
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
 
Joined
Aug 18, 2003
Messages
2,438
http://submit.lavahelp.com

Simply copy/paste the following one at a time into the box that reads "Submission File". Click "Submit new or updated target". Wait for it to upload. Repeat with the next one.

C:\WINDOWS\BXXS5.DLL

C:\WINDOWS\SYSTEM\SHEXTW.exe
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
OK I submitted the dll file, but the other one was gone. UNless someone tells me otherwise, I am going to wait just abit longer, then I am going to tell the MOds to close the thread. Thanks for everyone helps, I appreciate it on this long Friday.
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
I'll look forward to tomorrow when I won't be in my office and have to look at the machine. Out of sight, out of mind.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause

O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE

then
Reboot normally & be warned , normally this comes back with a vengenge.
In 98 or ME this seems to trigger the new Adtomi parasite that neeeds special cleaning. the first sign of it is a mass odf strange named files in a hjt log and a Yahoo stocks icon in the task bar

Most of the problems are down to Bearshare P2P program, what I have said to fisx, won't remove that just stop it starting at boot time and let the user start it when they want to
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
OK, I went into safe mode. when you say "open windows explorer & go to Tools>Folder options." Are you saying to open a web browser, which in this case is offline, and at the top, click on tools. If so, under tools it does not give me the option of "Folder options". Please verify that I am an idiot.:D
Andrew
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
OK, never mind, I figured out what I was doing wrong. I now have all the files shown, but I cannot find the atiupdate5.exe file. Its not there.:confused:
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
start/run type explorer

not IE but what we oldies used to call file manager in win 3.1
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
try to delete it from mteh desktop

but I don't thinkm it shows in safe mode

otherwise if it is only showing when connectd to the net as I suspect it is, then when connected right click it & select remove
 

Infidel_Kastro

Thread Starter
Joined
Nov 21, 2003
Messages
5,402
Did that, still no atiupdate5.exe file. Am I doing something wrong?

HOLD ON. POsted before I read previous message.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top