TechSpot

Another Hijackthis log. Please help with Adware

By bjybjy
Feb 16, 2005
  1. Last time I let my roommate use my computer unattended. I get popups every time I goto a website with keywords. If I type in a website and don't type the w's at beginning I get a search page with links, and about every half hour an official looking popup comes up saying I have a security firewall breach, etc.

    I've run updated versions of Adaware, Spybot S&D and CWShredder with no luck.

    Out of curiosity is there a way to make a donation via paypal or something if someone from here helps you out? That'd be a good addition I think :)

    Well here is my log file and I thank everyone in advance for any help.

    Tad
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode
    Switch off System Restore
    Put Hijackthis in its OWN, PERMANENT directory.
    Now run HJT on its own and let it 'fix':

    C:\WINDOWS\ieop.exe
    C:\WINDOWS\System32\tibs5.exe
    C:\WINDOWS\winpl32.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {A67AC66F-E66D-B230-07D8-8163A013AE40} - C:\WINDOWS\system32\appqa32.dll
    O4 - HKLM\..\Run: [3A.tmp] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\3A.tmp.exe 1 10001
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\Run: [winpl32.exe] C:\WINDOWS\winpl32.exe
    O4 - HKLM\..\Run: [3A.tmp.exe] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\3A.tmp.exe 1 10001
    O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\D.tmp.exe 2 28129
    O4 - HKLM\..\RunOnce: [ieop.exe] C:\WINDOWS\ieop.exe
    O4 - Startup: DLHelperEXE.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - C:\Program Files\Planetluck Casino\bin\IEExtension_PL.dll
    O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - C:\Program Files\Planetluck Casino\bin\IEExtension_PL.dll
    O9 - Extra button: partybingo.com - {9CDE474A-A688-48f4-8B49-55CFB2356A6F} - C:\Program Files\PartyBingo\bin\IEExtension_PB.dll
    O9 - Extra 'Tools' menuitem: partybingo.com - {9CDE474A-A688-48f4-8B49-55CFB2356A6F} - C:\Program Files\PartyBingo\bin\IEExtension_PB.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
    O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)

    ALL lines with O16 - DPF:

    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\mfcqd32.exe (file missing)

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Clean EVERYTHING from C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp
    Reboot in Safe Mode
    Make a new HJT log and post it here.

    You sure it was your roommate?

    I would give you my secret offshore account number in the Cayman Islands, but Internal Revenue would be down on me like a ton of bricks in a jiffy!
    So I'll help you out for nought.
     
  3. bjybjy

    bjybjy TS Rookie Topic Starter

    Looks like everything is back to normal. I play poker professionally so I didn't delete all of the gambling software. But aside from a few of the O15's staying it looks like everything is fixed and IE is working now. Are the O15s something to worry about? Thanks for all your help so far!



    Thanks!
    Tad
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    The golden rule is not to trust ANYBODY. Run HJT and delete those O15 entries.
    These O15 entries were put there from outside, meaning that the security settings of your IE are medium at best.
    But you never know who owns those websites tomorrow, or what software they install on your PC behind your back!
    You can have them in your Bookmarks/Favorites if you like.

    Otherwise you log is clean.
    Stop using IE, except for Windows-updates.
    Go get Firefox from www.getfirefox.com and use that from now on. Firefox also stops loads of pesky popups.
     
  5. bjybjy

    bjybjy TS Rookie Topic Starter

    How would you suggest getting rid of the O15s? I run hijack this, fix them, then run it again right away and they are back.

    All help is appreciated.

    Tad
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.