TechSpot

Help Please, adware, spyware etc

By Publius
Oct 4, 2004
  1. I had the begin2search toolbar. Still have the random highlighted words throughout webpages and have an enormous amount of popups. I run adaware and spybot s&d. Any help would be greatly appreciated.

    thanks,

    Logfile of HijackThis v1.97.7
    Scan saved at 3:00:32 PM, on 10/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\WINDOWS\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\stisvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Bio-Rad\The Discovery Series\bin\TDSAuth.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\RemindMe\RemindMe.exE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\d3dim700.exe
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Program Files\Netscape\Users\mwaltsgott\prefs.js)
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O2 - BHO: (no name) - {FE103B50-A713-A70B-A32B-6216A55DE887} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Search - {F7AAA336-2262-CC4E-ECBD-9AE94AFBDE13} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Configuration Loader] newexplore.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [oleaccrc] C:\WINDOWS\System32\oleaccrc.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
    O4 - Startup: Shortcut to RemindMe.lnk = C:\Program Files\RemindMe\RemindMe.exE
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.3988425926
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{566EDC60-138E-4CBF-BD4F-EC8019370B3F}: Domain = edpa.org
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Publius

    Welcome to TechSpot

    Boot into Safe Mode.
    Press Ctrl/Alt/Delete and go into TaskManager. Check if any of the .EXE files are running under the Applications Tab.
    If so, End them.
    Now check if any of the .EXE files are running under the Process Tab.
    If so, End them.

    Now close taskmanager and with no other windows open, run HijackThis.
    Mark all the items below, then hit the "Fix Marked" button.

    Reboot in normal mode.

    Run Adaware and Spybot S&D in their latest version, after a definition-update for each one.
    Let Spybot "immunise" your PC.
    Run these programs at least once a week from now on.


    Get rid of these:
    =================

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Bio-Rad\The Discovery Series\bin\TDSAuth.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\RemindMe\RemindMe.exE
    C:\WINDOWS\System32\d3dim700.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
    ernet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Program Files\Netscape\Users\mwaltsgott\prefs.js)
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O2 - BHO: (no name) - {FE103B50-A713-A70B-A32B-6216A55DE887} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: Search - {F7AAA336-2262-CC4E-ECBD-9AE94AFBDE13} - C:\WINDOWS\Kfqxnekj.dll

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Configuration Loader] newexplore.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [oleaccrc] C:\WINDOWS\System32\oleaccrc.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
    O4 - Startup: Shortcut to RemindMe.lnk = C:\Program Files\RemindMe\RemindMe.exE
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7949.3988425926
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/c...DI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{566EDC60-138E-4CBF-BD4F-EC8019370B3F}: Domain = edpa.org
     
  3. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    Just as a reference the highlighted words you are seeing on webpages are just a new creative form of advertising. They are only seen in IE and aren't a problem. As a matter of fact TechSpot uses them, no problem.

    I hope this helps clarify a little bit.

    BTW
    :wave:Welcome to TechSpot:wave:
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.