sn4ke67

all of a sudden ive been sneding more data then reciving it when im on the internet "56k modem :(" and when ever i connect then open up internet explorer or Opera 7.5 i ret 5 popups that the address they are trying to goto dosent exist like h**p://pegasusstudios.com/links.html i did a hijackthis log right after i turned my comp on then i started typing this and of course i now have 5 windows in the backround open.

oh yeah it wont happen if i dont do anything like open a game, aim, yahoo, or internet explorer

Logfile of HijackThis v1.98.2
Scan saved at 3:21:28 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\soundblaster.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=alexxp
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=alexxp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.208.97.14 firearmsmod.com
O1 - Hosts: 207.46.245.156 www.microsoft.com
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O16 - DPF: Win32 Classes -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Detah

I am working on your problem. I will have some instructions for you shortly.

sn4ke67

thanks

Detah

You have several problems that we need to address. We will be using several anti-spyware & anti-adware programs. I recommend that you keep these programs on your system permanently. Only use HiJackThis under the guidance of an expert! Print out these instructions so you may reference them without any programs open. It is very important that no programs (expecially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscan running.]
----------------------------------------------------------------

To show hidden files instructions
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extentions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore instructions
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot.
After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.
----------------------------------------------------------------
First lets fix your internet connection.

Download LSPFix and run it.
Check "I know what I am doing". Select

xfire_lsp_8742.dll

in the left window and click the arrow moving it to the right. Once the file is on the right, Click Finish and follow the prompts.
Close LSPFix.
Check your internet connection.

If the above (LSPFix) does not work, then let's repair Winsock from scratch.
Download WinsockFix and run it.
----------------------------------------------------------------
Check internet connection
Only proceed if your internet connection is working fine.
If not, post another HJT log.
----------------------------------------------------------------
Download Accelerator Plus
This program is spyware. You need to remove it from your system and never reinstall it. You may read more about it from
http://www.pestpatrol.com/pestinfo/d...rator_plus.asp

Removing DAP:
Control Panel | Add/Remove Programs | select DAP and remove.

Now you need to remove the 2 remnants.

Open the Registry Editor
Click Start | Run | type "regedit"
Now we will make a backup of your Registry. Click File | Export. A Save dialogue window will open. Type a name like <Registry backup 9-20-04.reg> and save it in a permanent directory on your harddrive, like c:/program files/Registry backups/

These two keys may not be present. If not, its ok.
* Now navigate to the key
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\downloadaccelerator, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\webscan, delete it and reboot the machine immediately.

* Close the Registry Editor.
----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Config | Misc Tools | Open process manager. Select the following and click <Kill process> for each one if they are still listed (they may not be, and that's ok):

MsPMSPSv.exe
jusched.exe
soundblaster.exe

----------------------------------------------------------------
Open HiJackThis
Put a check next to the following items. Confirm that you have only the ones below.
[color=red]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=alexxp
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=alexxp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.208.97.14 firearmsmod.com
O1 - Hosts: 207.46.245.156 www.microsoft.com
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) internetoptimizer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O16 - DPF: Win32 Classes -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
[/color=red]
Press <Fix checked>
Close HJT
----------------------------------------------------------------
Now delete the following files (or delete the whole folder if no specific file is given):

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\soundblaster.exe
c:/program files/DAP/

----------------------------------------------------------------
* Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot.
----------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly.

Spybot Search & Destroy instructions (~3.5MB)

• Download Spybot (written by Patrick Kolla). Click <download> from
  http://www.safer-networking.org/[BR]
  Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
  I recommend c:/program files/spybot/
• Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
• Open Spybot from Start | Programs | Spybot | Spybot S&D
• Select <Search for Updates>. Let it install all updates. This is very important!
• Select <Immunize>
• Select <Check for Problems>
• Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
• Select <Fix Selected Problems>
• Close Spybot//

Ad-Aware instructions (2563 kB)

• Download Ad-Aware SE build 1.04 (written by Lavasoft) from
  http://www.lavasoft.de/
  If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
• Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
• Open AdAware from Start | Programs | Lavasoft | Adaware.
• Select <Check for updates now>, <Proceed>
• Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
  
  • By default you begin in the <General> section. The following should be checked:
    
    • Automatically save logfile
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation - change to "7 days"
  • Click <Scanning>
    
    • Check Scan within Archives
    • Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
    • Under Memory & Registry, select all options
  • Click <Advanced>
    
    • Under Shell Integration, select "Move deleted files to Recycle Bin"
    • Under Logfile detail, select all options
  • Click <Defaults>
    
    • Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com
      
  • Click <Tweak>
    
    • Expand Scanning Engine and make sure the following are selected:
      
      • Unload recognized processes during scanning
      • Obtain command line of scanned processes
      • Scan registry for all users instead of current user only
    • Expand Cleaning Engine and make sure the following are selected:
      
      • Always try to unload modules before deletion
      • During removal, unload explorer and IE if necessary
      • Let Windows remove files in use at next reboot
      • Delete quarantined objects after restoring
    • Expand Safety Settings and make sure the following are selected:
      
      • Write-protect system files after repair (Hosts file, etc)
        
• Click <Proceed> | <Start> | <Next>
• When the scan is finished, rightclick on any entry and choose <Select All Objects>.
• Select <Clean>
• Close Adaware//

----------------------------------------------------------------
* Run HJT and post another HJT log.
----------------------------------------------------------------
Optional removal

wuauclt.exe removal instructions
Start | Run | services.msc, Automatic Updates, rightclick, set to disabled!

Reboot. Delete from C:\WINDOWS\System32\wuauclt.exe
or from c:/WINNT/system32 on WinXP Pro v2002. //
----------------------------------------------------------------

sn4ke67

YaY no popups and the internet send/recive thing is fixed now when im not doing anything like when im typing this "nothing is loading" both the lil computers are blank not lit up :)

there was no dap in the add/remove programs so i dident do anything with that but spybot s&d got some of its files a long time ago and before this i regularly ran ad aware and spybot s&d along with zone alarm pro "registered version" and tuneup utilities 2004

thanks for ur help i apprecieate it and if u are still worried about that downloader accelerator plus just post here ill check back l8r

agian thx


Logfile of HijackThis v1.98.2
Scan saved at 5:36:37 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

Detah

Looks good. Somehow I forgot one.

Open HJT. Put a check next to the following:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

<Fix checked>

Close HJT

Now you are clean.