1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware, lsp break, and dead puppies make me cry

Discussion in 'Virus & Other Malware Removal' started by Infidel_Kastro, Apr 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Good Morning,
    One of my students brought me her computer and it has a wee problem. She cannot get internet explorer to come online, but I ran adaware and was able to get an update, so there is a link there. Bunch of stuff on adaware, I'll remove it later, but one of the things was an lsp error, along with your general browser hijacks, data miners, etc. If someone, and by the lloks of whose on line I'll guess Derek, sould look over the HJT log and let me know what I need to fix, I would appreciate it. And yes, I know that http://server224.smartbotpro.net/7search/?hkcu shouldn't be there. Thats a fun little bugger. I went to the link to check it out and AVG caught it immediately as the startpage virus.
    Andrew
    Logfile of HijackThis v1.97.7
    Scan saved at 8:31:37 AM, on 4/2/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\EWARE\IWARE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    A:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://bn.my.yahoo.com/"); (C:\Program Files\Netscape\Users\paco\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SHEXTW] C:\WINDOWS\SYSTEM\SHEXTW.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: NetZero.lnk = C:\Program Files\NetZero\nzStart.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://netzero.looksmart.com/r?ijl&panel=netzero
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
     
  2. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Ad-Aware should have killed BookedSpace ... perhaps a new variant?

    Aaron would enjoy a copy of this:

    C:\WINDOWS\BXXS5.DLL

    Any idea what this one is?

    O4 - HKLM\..\Run: [SHEXTW] C:\WINDOWS\SYSTEM\SHEXTW.exe
     
  3. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Hey Win, how and where should I send the file? And what do you think it is? If its valuable, can I sell it on E-Bay?:D
     
  4. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK, I can now get the machine to go online, so I think we are approaching the end. Lets give this a quick glance, clean it, and close the thread!(y)
    I still need to know how and where to send the file to Aaron, and who ever else wants the file.
    Andrew
    Logfile of HijackThis v1.97.7
    Scan saved at 9:49:54 AM, on 4/2/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\EWARE\IWARE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://bn.my.yahoo.com/"); (C:\Program Files\Netscape\Users\paco\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: NetZero.lnk = C:\Program Files\NetZero\nzStart.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://netzero.looksmart.com/r?ijl&panel=netzero
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    http://submit.lavahelp.com

    Simply copy/paste the following one at a time into the box that reads "Submission File". Click "Submit new or updated target". Wait for it to upload. Repeat with the next one.

    C:\WINDOWS\BXXS5.DLL

    C:\WINDOWS\SYSTEM\SHEXTW.exe
     
  6. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK I submitted the dll file, but the other one was gone. UNless someone tells me otherwise, I am going to wait just abit longer, then I am going to tell the MOds to close the thread. Thanks for everyone helps, I appreciate it on this long Friday.
     
  7. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    It's already Saturday here.
     
  8. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    I'll look forward to tomorrow when I won't be in my office and have to look at the machine. Out of sight, out of mind.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause

    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE

    then
    Reboot normally & be warned , normally this comes back with a vengenge.
    In 98 or ME this seems to trigger the new Adtomi parasite that neeeds special cleaning. the first sign of it is a mass odf strange named files in a hjt log and a Yahoo stocks icon in the task bar

    Most of the problems are down to Bearshare P2P program, what I have said to fisx, won't remove that just stop it starting at boot time and let the user start it when they want to
     
  10. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK, I went into safe mode. when you say "open windows explorer & go to Tools>Folder options." Are you saying to open a web browser, which in this case is offline, and at the top, click on tools. If so, under tools it does not give me the option of "Folder options". Please verify that I am an idiot.:D
    Andrew
     
  11. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    OK, never mind, I figured out what I was doing wrong. I now have all the files shown, but I cannot find the atiupdate5.exe file. Its not there.:confused:
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    start/run type explorer

    not IE but what we oldies used to call file manager in win 3.1
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    try to delete it from mteh desktop

    but I don't thinkm it shows in safe mode

    otherwise if it is only showing when connectd to the net as I suspect it is, then when connected right click it & select remove
     
  14. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    Did that, still no atiupdate5.exe file. Am I doing something wrong?

    HOLD ON. POsted before I read previous message.
     
  15. Infidel_Kastro

    Infidel_Kastro Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5,402
    "mteh desktop" Typo?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware break dead
  1. rjay13
    Replies:
    0
    Views:
    156
  2. dano_61
    Replies:
    14
    Views:
    770
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216800

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice