burnmyeyes

Can anyone help me remove spywares in my computer

i used hijackthis and it posted these logs:



Logfile of HijackThis v1.98.2
Scan saved at 12:02:21 PM, on 9/28/2004
Platform: Windows XP SP1, v.1050 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1037)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\huqgzn.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Winamp\winamp.exe
c:\temp\msbb.exe
C:\Program Files\EMP3\MP3 to WAV Decoder\ezab.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [wtufyj] C:\WINDOWS\wtufyj.exe
O4 - HKLM\..\Run: [uqygezrtho] C:\WINDOWS\System32\huqgzn.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\RunOnce: [Windows SR 2.0] C:\WINDOWS\cleanup2.bat
O4 - HKCU\..\RunOnce: [eZstub] C:\Program Files\EMP3\MP3 to WAV Decoder\ezab.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Corel Network monitor worker - {CA27071C-C4AA-4EA0-B3C9-0ED74729EB7F} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CA27071C-C4AA-4EA0-B3C9-0ED74729EB7F} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {CA27071C-C4AA-4EA0-B3C9-0ED74729EB7F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CA27071C-C4AA-4EA0-B3C9-0ED74729EB7F} - (no file) (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E497BDD1-4DBD-4090-8B34-9E0C2133EB67}: NameServer = 202.81.160.4 202.81.160.5



please help me

MicroBell

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. Ok..on to the log…..

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\System32\huqgzn.exe
c:\temp\msbb.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

C:\WINDOWS\System32\huqgzn.exe
c:\temp\msbb.exe
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [wtufyj] C:\WINDOWS\wtufyj.exe
O4 - HKLM\..\Run: [uqygezrtho] C:\WINDOWS\System32\huqgzn.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab

Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (If you can't find them...do a search for them)

C:\WINDOWS\System32\huqgzn.exe
c:\temp\msbb.exe
C:\WINDOWS\localNRD.dll
C:\WINDOWS\wtufyj.exe
C:\WINDOWS\System32\huqgzn.exe
C:\WINDOWS\conscorr.exe

Clear out your temp files and cache files.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. Once your clean you can enable system restore again


On a side note...can a MOD or Security person confirm for me that C:\WINDOWS\cleanup2.bat is a legit SP2 file as I haven't installed the service patch yet. Thanks Much!!

__________________

Pancake

Beaten to it...

Pancake

C:\WINDOWS\cleanup2.bat can be found on a few systems and in nothing to do with SP2.It is being regarded by most as a hostlile.

__________________

MicroBell

Thanks Pancake... Can you point me toward any sites that can confirm this for me and explain how it works and what adware/spyware it's attached too...or is it to new? Couldn't find much on it.

__________________

Pancake

This is the only english reference to it but there are a few loose translated sites.
http://www.annoyances.org/exec/forum/win98/1083103736