also @ TechSpot: Updated Microsoft EULA prohibits class action lawsuits

TechSpot

Help Please, adware, spyware etc

Discussion in 'Virus and Malware Removal' started by Publius, Oct 4, 2004.

Thread Status:
Not open for further replies.

  1. Publius Newcomer, in training

    I had the begin2search toolbar. Still have the random highlighted words throughout webpages and have an enormous amount of popups. I run adaware and spybot s&d. Any help would be greatly appreciated.

    thanks,

    Logfile of HijackThis v1.97.7
    Scan saved at 3:00:32 PM, on 10/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\WINDOWS\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\stisvc.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Bio-Rad\The Discovery Series\bin\TDSAuth.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\RemindMe\RemindMe.exE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\d3dim700.exe
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Program Files\Netscape\Users\mwaltsgott\prefs.js)
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O2 - BHO: (no name) - {FE103B50-A713-A70B-A32B-6216A55DE887} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Search - {F7AAA336-2262-CC4E-ECBD-9AE94AFBDE13} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Configuration Loader] newexplore.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [oleaccrc] C:\WINDOWS\System32\oleaccrc.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
    O4 - Startup: Shortcut to RemindMe.lnk = C:\Program Files\RemindMe\RemindMe.exE
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.3988425926
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{566EDC60-138E-4CBF-BD4F-EC8019370B3F}: Domain = edpa.org
    Publius, Oct 4, 2004
    #1

  2. RealBlackStuff Newcomer, in training

    Publius

    Welcome to TechSpot

    Boot into Safe Mode.
    Press Ctrl/Alt/Delete and go into TaskManager. Check if any of the .EXE files are running under the Applications Tab.
    If so, End them.
    Now check if any of the .EXE files are running under the Process Tab.
    If so, End them.

    Now close taskmanager and with no other windows open, run HijackThis.
    Mark all the items below, then hit the "Fix Marked" button.

    Reboot in normal mode.

    Run Adaware and Spybot S&D in their latest version, after a definition-update for each one.
    Let Spybot "immunise" your PC.
    Run these programs at least once a week from now on.


    Get rid of these:
    =================

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Bio-Rad\The Discovery Series\bin\TDSAuth.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\RemindMe\RemindMe.exE
    C:\WINDOWS\System32\d3dim700.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
    ernet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Program Files\Netscape\Users\mwaltsgott\prefs.js)
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O2 - BHO: (no name) - {FE103B50-A713-A70B-A32B-6216A55DE887} - C:\WINDOWS\Kfqxnekj.dll
    O3 - Toolbar: Search - {F7AAA336-2262-CC4E-ECBD-9AE94AFBDE13} - C:\WINDOWS\Kfqxnekj.dll

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Configuration Loader] newexplore.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [oleaccrc] C:\WINDOWS\System32\oleaccrc.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
    O4 - Startup: Shortcut to RemindMe.lnk = C:\Program Files\RemindMe\RemindMe.exE
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7949.3988425926
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/c...DI/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{566EDC60-138E-4CBF-BD4F-EC8019370B3F}: Domain = edpa.org
    RealBlackStuff, Oct 5, 2004
    #2

  3. poertner_1274 secroF laicepS topShceT

    Just as a reference the highlighted words you are seeing on webpages are just a new creative form of advertising. They are only seen in IE and aren't a problem. As a matter of fact TechSpot uses them, no problem.

    I hope this helps clarify a little bit.

    BTW
    :wave:Welcome to TechSpot:wave:
    poertner_1274, Oct 6, 2004
    #3
Thread Status:
Not open for further replies.