Help! Freezing! Slow! Going crazy!

Crazy · 12-05-2004, 12:34 PM

undefined[FONT=undefinedArial]undefined[/font]

Hi! I'm going crazy! It has taken me almost 2hrs to just accomplish this note! My windows xp professional keeps freezing. Controll-alt-delete often doesn't work. Super slow. Even the start menu to restart the computer is often frozen. Lots of times I see the window "anti-virus synchronization Service encountered a problem and needed to close." Sometimes getting on-line just freezes it. We finally are under control with ads and pop-ups thanks to ad-aware and spybot and I have recently run Panda software to get rid of viruses. We have 4 people using this computer with their own desktops. The internet only works on mine-the main desktop. We really are novices with this stuff, so technical help will loose me. But step-by-step help I can follow. Any other info I can think of is that we see "my diet patch" ads a lot, "load Golf Courses" always comes on when we reboot, and we see "terrabyte" a lot--whatever that is. I think I need an overall cleanup....maybe. Thanks for any help. I really need it.

We're hurting. (Although the main parts of life are doing ok, thankfully

)

CTSNKY · 12-05-2004, 01:12 PM

Please download HijackThis (http://www.greyknight17.com/spy/HijackThis.exe) - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer (http://www.greyknight17.com/download.htm#programs) and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the 'result.txt' file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since some of these may be harmless.

Crazy · 12-05-2004, 08:55 PM

Hi! I got the response from CTSNKY for my first post. I'm trying to do what you said--download HijackThis, but so far it has been running for 8+ hours! Does that sound resonable to you? Also, is this the right way for me to connect to you, CTSNKY?....if you find this at all. Otherwise, maybe someone else can tell me how to find him. Thanks! Crazy

MicroBell · 12-05-2004, 10:50 PM

8 hrs....OMG..NO. It's just a little program...200KB...downloads in about 30 seconds on a 56K connection. I would suggest you download it from another PC and then install it on this infected one and do a scan. This is the correct way to contact him. We will work through this thread to fix your issue.

Crazy · 12-06-2004, 08:51 AM

Hi! yes, 30 seconds sounds much better. OK, I'm sorry to say that I don't even know how to download the greyknight program (from my other computer) onto a disk so I can bring it here to my infected computer. Do you mind telling me the steps? With hope, Crazy

Crazy · 12-06-2004, 11:43 AM

Hi! Me again. I'm not sure my last post is visible to people besides me, so I just wanted to try again. I'm anxious to get this thing working :) Crazy

greyknight17 · 12-06-2004, 11:52 AM

HijackThis is not my program. Would be great if it was though.

All you have to do is download that by clicking on the link provided onto another computer. Just save it on a floppy disk (it will fit). Then use that floppy and copy HijackThis.exe over to your computer and run it. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

Crazy · 12-07-2004, 09:30 PM

Log was analyzed using HijackThis Analyzer - Updated on 12/6/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.98.2
Scan saved at 9:19:52 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\S3tray2.exe
C:\documents and settings\internet\local settings\temp\a9i.exe
C:\documents and settings\internet\local settings\temp\05t.exe
C:\documents and settings\internet\local settings\temp\a9i.exe
C:\documents and settings\internet\local settings\temp\05t.exe
C:\documents and settings\lila\local settings\temp\chP.exe
C:\documents and settings\lila\local settings\temp\chP.exe
C:\documents and settings\chris\local settings\temp\y.exe
C:\documents and settings\lila\local settings\temp\x.exe
C:\documents and settings\chris\local settings\temp\y.exe
C:\documents and settings\lila\local settings\temp\x.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\windows\180ax.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\qpafax.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\WINDOWS\System32\??chost.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Documents and Settings\Internet\Application Data\wmls.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\DjjuCGp.exe
C:\WINDOWS\System32\JmkzLUg.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Documents and Settings\Internet\Local Settings\Temporary Internet Files\Content.IE5\CP23S567\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 1.3\SDHelper.dll
O2 - BHO: (no name) - {63FF3D04-E911-5CCE-8550-17550CFC7B15} - C:\WINDOWS\System32\ryeau.dll
O2 - BHO: (no name) - {65A96E5C-EC40-0DC0-D507-17550CFB7347} - C:\WINDOWS\System32\rqakeqv.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe
O4 - HKLM\..\Run: [a9i.exe] C:\documents and settings\internet\local settings\temp\a9i.exe
O4 - HKLM\..\Run: [05t.exe] C:\documents and settings\internet\local settings\temp\05t.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [a9i] C:\documents and settings\internet\local settings\temp\a9i.exe
O4 - HKLM\..\Run: [05t] C:\documents and settings\internet\local settings\temp\05t.exe
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [chP] C:\documents and settings\lila\local settings\temp\chP.exe
O4 - HKLM\..\Run: [chP.exe] C:\documents and settings\lila\local settings\temp\chP.exe
O4 - HKLM\..\Run: [y] C:\documents and settings\chris\local settings\temp\y.exe
O4 - HKLM\..\Run: [x] C:\documents and settings\lila\local settings\temp\x.exe
O4 - HKLM\..\Run: [w] C:\documents and settings\lila\local settings\temp\w.exe
O4 - HKLM\..\Run: [y.exe] C:\documents and settings\chris\local settings\temp\y.exe
O4 - HKLM\..\Run: [x.exe] C:\documents and settings\lila\local settings\temp\x.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\lila\local settings\temp\c.exe
O4 - HKLM\..\Run: [7ac216c2710f] C:\WINDOWS\System32\ciadmin6.exe
O4 - HKLM\..\Run: [52@HY493BEBDD4] C:\WINDOWS\System32\Oxq9v1Z.exe
O4 - HKLM\..\Run: [c.exe] C:\documents and settings\lila\local settings\temp\c.exe
O4 - HKLM\..\Run: [rW4WWzJG] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
O4 - HKLM\..\Run: [NfbRZ2io] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe
O4 - HKLM\..\Run: [NfbRZ2io.exe] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe
O4 - HKLM\..\Run: [rW4WWzJG.exe] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [xF5O37Q] qpafax.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Jkt] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Raar] C:\Documents and Settings\Internet\Application Data\wmls.exe
O4 - Global Startup: LoadGolfCourses
O4 - Global Startup: LoadGolfCourses.exe
O4 - Global Startup: Reboot.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm867
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_off...eskSetup_A.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs: C:\WINDOWS\NMSOCKNT.DLL

End of HijackThis Analyzer Log.

MicroBell · 12-08-2004, 12:46 AM

Hi and Welcome to TSF

Wow.....no wonder this SOB doesn't run. Ok..here we go. Better print these instructions out. Run this fix for BOTH users. Please install the SP1/SP2 service packs for both IE6 and XP. These can be obtained through Microsofts update page. Please move hijackthis to the root of C:\ and NOT in a temp folder.

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Download CleanUp http://cleanup.stevengould.org/ install and run the utility. This will clean out all temp folders. It will ask you to reboot/logoff...choose YES...reboot and proceed below.

Download Winsock2Fix and unzip it. Then double-click on it to run it.

You have the Peper infection. Download PeperUninstall. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix and save it to your Desktop. Run it and click Find and Fix (reboot if prompted)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and uninstall the following if listed.

Toolbar
WinTools
Viewpoint
CxtPls
NewDotNet
Open Site
System Soap Pro
MaxSpeed
180 Solutions
Mini-Golf

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\documents and settings\internet\local settings\temp\a9i.exe
C:\documents and settings\internet\local settings\temp\05t.exe
C:\documents and settings\internet\local settings\temp\a9i.exe
C:\documents and settings\internet\local settings\temp\05t.exe
C:\documents and settings\lila\local settings\temp\chP.exe
C:\documents and settings\lila\local settings\temp\chP.exe
C:\documents and settings\chris\local settings\temp\y.exe
C:\documents and settings\lila\local settings\temp\x.exe
C:\documents and settings\chris\local settings\temp\y.exe
C:\documents and settings\lila\local settings\temp\x.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\windows\180ax.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\qpafax.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\WINDOWS\System32\??chost.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Documents and Settings\Internet\Application Data\wmls.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\DjjuCGp.exe
C:\WINDOWS\System32\JmkzLUg.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\PIB.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {63FF3D04-E911-5CCE-8550-17550CFC7B15} - C:\WINDOWS\System32\ryeau.dll
O2 - BHO: (no name) - {65A96E5C-EC40-0DC0-D507-17550CFB7347} - C:\WINDOWS\System32\rqakeqv.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe
O4 - HKLM\..\Run: [a9i.exe] C:\documents and settings\internet\local settings\temp\a9i.exe
O4 - HKLM\..\Run: [05t.exe] C:\documents and settings\internet\local settings\temp\05t.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [a9i] C:\documents and settings\internet\local settings\temp\a9i.exe
O4 - HKLM\..\Run: [05t] C:\documents and settings\internet\local settings\temp\05t.exe
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [chP] C:\documents and settings\lila\local settings\temp\chP.exe
O4 - HKLM\..\Run: [chP.exe] C:\documents and settings\lila\local settings\temp\chP.exe
O4 - HKLM\..\Run: [y] C:\documents and settings\chris\local settings\temp\y.exe
O4 - HKLM\..\Run: [x] C:\documents and settings\lila\local settings\temp\x.exe
O4 - HKLM\..\Run: [w] C:\documents and settings\lila\local settings\temp\w.exe
O4 - HKLM\..\Run: [y.exe] C:\documents and settings\chris\local settings\temp\y.exe
O4 - HKLM\..\Run: [x.exe] C:\documents and settings\lila\local settings\temp\x.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\lila\local settings\temp\c.exe
O4 - HKLM\..\Run: [7ac216c2710f] C:\WINDOWS\System32\ciadmin6.exe
O4 - HKLM\..\Run: [52@HY493BEBDD4] C:\WINDOWS\System32\Oxq9v1Z.exe
O4 - HKLM\..\Run: [c.exe] C:\documents and settings\lila\local settings\temp\c.exe
O4 - HKLM\..\Run: [rW4WWzJG] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
O4 - HKLM\..\Run: [NfbRZ2io] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe
O4 - HKLM\..\Run: [NfbRZ2io.exe] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe
O4 - HKLM\..\Run: [rW4WWzJG.exe] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [xF5O37Q] qpafax.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Jkt] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Raar] C:\Documents and Settings\Internet\Application Data\wmls.exe
O4 - Global Startup: LoadGolfCourses
O4 - Global Startup: LoadGolfCourses.exe
O4 - Global Startup: Reboot.exe
O4 - Global Startup: stamp.dat
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm867
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs: C:\WINDOWS\NMSOCKNT.DLL

Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\documents and settings\internet\local settings\temp\a9i.exe
C:\documents and settings\internet\local settings\temp\05t.exe
C:\documents and settings\lila\local settings\temp\chP.exe
C:\documents and settings\chris\local settings\temp\y.exe
C:\documents and settings\lila\local settings\temp\x.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\windows\180ax.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\qpafax.exe
C:\WINDOWS\System32\??chost.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Documents and Settings\Internet\Application Data\wmls.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\DjjuCGp.exe
C:\WINDOWS\System32\JmkzLUg.exe
C:\WINDOWS\System32\SearchBar.htm
C:\Windows\System32\wsaupdater.exe
C:\Program Files\NewDotNet\newdotnet6_38.dll
C:\WINDOWS\System32\ryeau.dll
C:\WINDOWS\System32\rqakeqv.dll
C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll
C:\Program Files\WindowsSA\omniscient.exe
C:\documents and settings\lila\local settings\temp\w.exe
C:\WINDOWS\System32\ciadmin6.exe
C:\WINDOWS\System32\Oxq9v1Z.exe
C:\documents and settings\lila\local settings\temp\c.exe
C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe
C:\Program Files\System Soap Pro\soap.exe
C:\WINDOWS\System32\maxspeed.exe
C:\WINDOWS\NMSOCKNT.DLL

Run cleanup again.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. Once your clean you can enable system restore again.

**Note** If the infected PC can NOT access the net...you will have to download the programs on another PC...burn them to disk...and copy the programs to the infected PC. Your only other option would be to format the drive and reinstall the OS...or remove the HD and slave it to another system.

You are severly infected with trojans, spyware/adware!!

Crazy · 12-09-2004, 09:55 AM

Hi! Thank-you sooo much! You have restored sanity to me and my family! Just running Ad-awareSE took off over 5000 things! We are slowly working our way through your list, but I have a few questions:
--You said to install the SP1/SP2service packs on both users. Does that mean install it on all three of my kids separate desktops along with mine...so four times all together for each SP1xp ,2xp, SP1IE6, SP2Ie6? Not trying to be lazy, just trying to do it right :)
---I'm not very good with folders, as dumb as that sounds. Can you give me the steps for moving hijackthis to the root of C:\ from a temp folder? The more detail the better.
---next question: Who are you? Do you get any money for this??? I appreciate you-singular or you-plural very much!!! Thanks again for helping my whole family this way! I hope you have a wonderful day.

Crazy · 12-09-2004, 02:22 PM

Hi again! Now I have another problem, in addition to the questions I just asked earlier today. The Windows XP service pack 2 won't download on my computer. It says the product key used to install Microsoft Windows may not be valid. I went to www.howtotell.com but it said it couldn't tell me for some reason--I forget. And then I found out that IE6 SP2 needs to have SP2 installed before I can download it. Any suggestions on these SP2 dilemmas? Thanks again.

greyknight17 · 12-09-2004, 03:29 PM

Before we go any further, let's see a new HijackThis log. We ask for this because SP2 can be very unstable especially on a system that has problems.

I think I remember reading about this SP2 invalid key problem (even though it's a legit/valid XP installation). We'll get back to this when we have verified that you are clean. Just remind us of this problem. Yes, for IE SP2 to install, you need to get SP2 for XP first.

12-05-2004, 12:34 PM	#1 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	Help! Freezing! Slow! Going crazy! undefined[FONT=undefinedArial]undefined[/font] Hi! I'm going crazy! It has taken me almost 2hrs to just accomplish this note! My windows xp professional keeps freezing. Controll-alt-delete often doesn't work. Super slow. Even the start menu to restart the computer is often frozen. Lots of times I see the window "anti-virus synchronization Service encountered a problem and needed to close." Sometimes getting on-line just freezes it. We finally are under control with ads and pop-ups thanks to ad-aware and spybot and I have recently run Panda software to get rid of viruses. We have 4 people using this computer with their own desktops. The internet only works on mine-the main desktop. We really are novices with this stuff, so technical help will loose me. But step-by-step help I can follow. Any other info I can think of is that we see "my diet patch" ads a lot, "load Golf Courses" always comes on when we reboot, and we see "terrabyte" a lot--whatever that is. I think I need an overall cleanup....maybe. Thanks for any help. I really need it. We're hurting. (Although the main parts of life are doing ok, thankfully )

12-05-2004, 01:12 PM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please download HijackThis (http://www.greyknight17.com/spy/HijackThis.exe) - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer (http://www.greyknight17.com/download.htm#programs) and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the 'result.txt' file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since some of these may be harmless. __________________ GO BIG BLUE!!

12-05-2004, 08:55 PM	#3 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	Crazy here...is this how to respond? Hi! I got the response from CTSNKY for my first post. I'm trying to do what you said--download HijackThis, but so far it has been running for 8+ hours! Does that sound resonable to you? Also, is this the right way for me to connect to you, CTSNKY?....if you find this at all. Otherwise, maybe someone else can tell me how to find him. Thanks! Crazy

12-05-2004, 10:50 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	8 hrs....OMG..NO. It's just a little program...200KB...downloads in about 30 seconds on a 56K connection. I would suggest you download it from another PC and then install it on this infected one and do a scan. This is the correct way to contact him. We will work through this thread to fix your issue. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

12-06-2004, 08:51 AM	#5 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	so, 8 hours was a little long... Hi! yes, 30 seconds sounds much better. OK, I'm sorry to say that I don't even know how to download the greyknight program (from my other computer) onto a disk so I can bring it here to my infected computer. Do you mind telling me the steps? With hope, Crazy

12-06-2004, 11:43 AM	#6 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	Am I doing this right? Hi! Me again. I'm not sure my last post is visible to people besides me, so I just wanted to try again. I'm anxious to get this thing working :) Crazy

12-06-2004, 11:52 AM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	HijackThis is not my program. Would be great if it was though. All you have to do is download that by clicking on the link provided onto another computer. Just save it on a floppy disk (it will fit). Then use that floppy and copy HijackThis.exe over to your computer and run it. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-07-2004, 09:30 PM	#8 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	Here's the result.txt Log was analyzed using HijackThis Analyzer - Updated on 12/6/04 Get updates at http://www.greyknight17.com/download.htm#programs Logfile of HijackThis v1.98.2 Scan saved at 9:19:52 PM, on 12/7/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\PROGRA~1\Toolbar\TBPSSvc.exe C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\WINDOWS\System32\S3tray2.exe C:\documents and settings\internet\local settings\temp\a9i.exe C:\documents and settings\internet\local settings\temp\05t.exe C:\documents and settings\internet\local settings\temp\a9i.exe C:\documents and settings\internet\local settings\temp\05t.exe C:\documents and settings\lila\local settings\temp\chP.exe C:\documents and settings\lila\local settings\temp\chP.exe C:\documents and settings\chris\local settings\temp\y.exe C:\documents and settings\lila\local settings\temp\x.exe C:\documents and settings\chris\local settings\temp\y.exe C:\documents and settings\lila\local settings\temp\x.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\PROGRA~1\Toolbar\TBPS.exe C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe C:\Program Files\Windows TaskAd\WinTaskAd.exe C:\windows\180ax.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\qpafax.exe C:\Program Files\Windows TaskAd\WinSched.exe C:\WINDOWS\System32\??chost.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Documents and Settings\Internet\Application Data\wmls.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\DjjuCGp.exe C:\WINDOWS\System32\JmkzLUg.exe C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Corel\Suite8\Programs\WPWIN8.EXE C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Corel\Suite8\Programs\WPWIN8.EXE C:\Corel\Suite8\Programs\WPWIN8.EXE C:\Documents and Settings\Internet\Local Settings\Temporary Internet Files\Content.IE5\CP23S567\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe, O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 1.3\SDHelper.dll O2 - BHO: (no name) - {63FF3D04-E911-5CCE-8550-17550CFC7B15} - C:\WINDOWS\System32\ryeau.dll O2 - BHO: (no name) - {65A96E5C-EC40-0DC0-D507-17550CFB7347} - C:\WINDOWS\System32\rqakeqv.dll O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe O4 - HKLM\..\Run: [a9i.exe] C:\documents and settings\internet\local settings\temp\a9i.exe O4 - HKLM\..\Run: [05t.exe] C:\documents and settings\internet\local settings\temp\05t.exe O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe O4 - HKLM\..\Run: [a9i] C:\documents and settings\internet\local settings\temp\a9i.exe O4 - HKLM\..\Run: [05t] C:\documents and settings\internet\local settings\temp\05t.exe O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe" O4 - HKLM\..\Run: [chP] C:\documents and settings\lila\local settings\temp\chP.exe O4 - HKLM\..\Run: [chP.exe] C:\documents and settings\lila\local settings\temp\chP.exe O4 - HKLM\..\Run: [y] C:\documents and settings\chris\local settings\temp\y.exe O4 - HKLM\..\Run: [x] C:\documents and settings\lila\local settings\temp\x.exe O4 - HKLM\..\Run: [w] C:\documents and settings\lila\local settings\temp\w.exe O4 - HKLM\..\Run: [y.exe] C:\documents and settings\chris\local settings\temp\y.exe O4 - HKLM\..\Run: [x.exe] C:\documents and settings\lila\local settings\temp\x.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [c] C:\documents and settings\lila\local settings\temp\c.exe O4 - HKLM\..\Run: [7ac216c2710f] C:\WINDOWS\System32\ciadmin6.exe O4 - HKLM\..\Run: [52@HY493BEBDD4] C:\WINDOWS\System32\Oxq9v1Z.exe O4 - HKLM\..\Run: [c.exe] C:\documents and settings\lila\local settings\temp\c.exe O4 - HKLM\..\Run: [rW4WWzJG] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe O4 - HKLM\..\Run: [NfbRZ2io] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe O4 - HKLM\..\Run: [NfbRZ2io.exe] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe O4 - HKLM\..\Run: [rW4WWzJG.exe] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [xF5O37Q] qpafax.exe O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min O4 - HKCU\..\Run: [Jkt] C:\WINDOWS\System32\??chost.exe O4 - HKCU\..\Run: [Raar] C:\Documents and Settings\Internet\Application Data\wmls.exe O4 - Global Startup: LoadGolfCourses O4 - Global Startup: LoadGolfCourses.exe O4 - Global Startup: Reboot.exe O4 - Global Startup: stamp.dat O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm867 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_off...eskSetup_A.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab O20 - AppInit_DLLs: C:\WINDOWS\NMSOCKNT.DLL End of HijackThis Analyzer Log.

12-08-2004, 12:46 AM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Wow.....no wonder this SOB doesn't run. Ok..here we go. Better print these instructions out. Run this fix for BOTH users. Please install the SP1/SP2 service packs for both IE6 and XP. These can be obtained through Microsofts update page. Please move hijackthis to the root of C:\ and NOT in a temp folder. Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Download CleanUp http://cleanup.stevengould.org/ install and run the utility. This will clean out all temp folders. It will ask you to reboot/logoff...choose YES...reboot and proceed below. Download Winsock2Fix and unzip it. Then double-click on it to run it. You have the Peper infection. Download PeperUninstall. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix and save it to your Desktop. Run it and click Find and Fix (reboot if prompted) Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and uninstall the following if listed. Toolbar WinTools Viewpoint CxtPls NewDotNet Open Site System Soap Pro MaxSpeed 180 Solutions Mini-Golf Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\PROGRA~1\Toolbar\TBPSSvc.exe C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\documents and settings\internet\local settings\temp\a9i.exe C:\documents and settings\internet\local settings\temp\05t.exe C:\documents and settings\internet\local settings\temp\a9i.exe C:\documents and settings\internet\local settings\temp\05t.exe C:\documents and settings\lila\local settings\temp\chP.exe C:\documents and settings\lila\local settings\temp\chP.exe C:\documents and settings\chris\local settings\temp\y.exe C:\documents and settings\lila\local settings\temp\x.exe C:\documents and settings\chris\local settings\temp\y.exe C:\documents and settings\lila\local settings\temp\x.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\PROGRA~1\Toolbar\TBPS.exe C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe C:\Program Files\Windows TaskAd\WinTaskAd.exe C:\windows\180ax.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\qpafax.exe C:\Program Files\Windows TaskAd\WinSched.exe C:\WINDOWS\System32\??chost.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Documents and Settings\Internet\Application Data\wmls.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\DjjuCGp.exe C:\WINDOWS\System32\JmkzLUg.exe C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\PROGRA~1\Toolbar\PIB.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe, O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll O2 - BHO: (no name) - {63FF3D04-E911-5CCE-8550-17550CFC7B15} - C:\WINDOWS\System32\ryeau.dll O2 - BHO: (no name) - {65A96E5C-EC40-0DC0-D507-17550CFB7347} - C:\WINDOWS\System32\rqakeqv.dll O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe O4 - HKLM\..\Run: [a9i.exe] C:\documents and settings\internet\local settings\temp\a9i.exe O4 - HKLM\..\Run: [05t.exe] C:\documents and settings\internet\local settings\temp\05t.exe O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe O4 - HKLM\..\Run: [a9i] C:\documents and settings\internet\local settings\temp\a9i.exe O4 - HKLM\..\Run: [05t] C:\documents and settings\internet\local settings\temp\05t.exe O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe" O4 - HKLM\..\Run: [chP] C:\documents and settings\lila\local settings\temp\chP.exe O4 - HKLM\..\Run: [chP.exe] C:\documents and settings\lila\local settings\temp\chP.exe O4 - HKLM\..\Run: [y] C:\documents and settings\chris\local settings\temp\y.exe O4 - HKLM\..\Run: [x] C:\documents and settings\lila\local settings\temp\x.exe O4 - HKLM\..\Run: [w] C:\documents and settings\lila\local settings\temp\w.exe O4 - HKLM\..\Run: [y.exe] C:\documents and settings\chris\local settings\temp\y.exe O4 - HKLM\..\Run: [x.exe] C:\documents and settings\lila\local settings\temp\x.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [c] C:\documents and settings\lila\local settings\temp\c.exe O4 - HKLM\..\Run: [7ac216c2710f] C:\WINDOWS\System32\ciadmin6.exe O4 - HKLM\..\Run: [52@HY493BEBDD4] C:\WINDOWS\System32\Oxq9v1Z.exe O4 - HKLM\..\Run: [c.exe] C:\documents and settings\lila\local settings\temp\c.exe O4 - HKLM\..\Run: [rW4WWzJG] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe O4 - HKLM\..\Run: [NfbRZ2io] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe O4 - HKLM\..\Run: [NfbRZ2io.exe] C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe O4 - HKLM\..\Run: [rW4WWzJG.exe] C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [xF5O37Q] qpafax.exe O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min O4 - HKCU\..\Run: [Jkt] C:\WINDOWS\System32\??chost.exe O4 - HKCU\..\Run: [Raar] C:\Documents and Settings\Internet\Application Data\wmls.exe O4 - Global Startup: LoadGolfCourses O4 - Global Startup: LoadGolfCourses.exe O4 - Global Startup: Reboot.exe O4 - Global Startup: stamp.dat O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm867 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab? O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab O20 - AppInit_DLLs: C:\WINDOWS\NMSOCKNT.DLL Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\PROGRA~1\Toolbar\TBPSSvc.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\documents and settings\internet\local settings\temp\a9i.exe C:\documents and settings\internet\local settings\temp\05t.exe C:\documents and settings\lila\local settings\temp\chP.exe C:\documents and settings\chris\local settings\temp\y.exe C:\documents and settings\lila\local settings\temp\x.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe C:\documents and settings\lila\local settings\temp\rW4WWzJG.exe C:\Program Files\Windows TaskAd\WinTaskAd.exe C:\windows\180ax.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\qpafax.exe C:\WINDOWS\System32\??chost.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Documents and Settings\Internet\Application Data\wmls.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\DjjuCGp.exe C:\WINDOWS\System32\JmkzLUg.exe C:\WINDOWS\System32\SearchBar.htm C:\Windows\System32\wsaupdater.exe C:\Program Files\NewDotNet\newdotnet6_38.dll C:\WINDOWS\System32\ryeau.dll C:\WINDOWS\System32\rqakeqv.dll C:\Documents and Settings\Chris\Local Settings\Temp\ghz1fPRs3.dll C:\Program Files\WindowsSA\omniscient.exe C:\documents and settings\lila\local settings\temp\w.exe C:\WINDOWS\System32\ciadmin6.exe C:\WINDOWS\System32\Oxq9v1Z.exe C:\documents and settings\lila\local settings\temp\c.exe C:\documents and settings\lila\local settings\temp\NfbRZ2io.exe C:\Program Files\System Soap Pro\soap.exe C:\WINDOWS\System32\maxspeed.exe C:\WINDOWS\NMSOCKNT.DLL Run cleanup again. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. Once your clean you can enable system restore again. Note If the infected PC can NOT access the net...you will have to download the programs on another PC...burn them to disk...and copy the programs to the infected PC. Your only other option would be to format the drive and reinstall the OS...or remove the HD and slave it to another system. You are severly infected with trojans, spyware/adware!! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell : 12-08-2004 at 12:47 AM.

12-09-2004, 09:55 AM	#10 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	Wow, thanks. A few ?s Hi! Thank-you sooo much! You have restored sanity to me and my family! Just running Ad-awareSE took off over 5000 things! We are slowly working our way through your list, but I have a few questions: --You said to install the SP1/SP2service packs on both users. Does that mean install it on all three of my kids separate desktops along with mine...so four times all together for each SP1xp ,2xp, SP1IE6, SP2Ie6? Not trying to be lazy, just trying to do it right :) ---I'm not very good with folders, as dumb as that sounds. Can you give me the steps for moving hijackthis to the root of C:\ from a temp folder? The more detail the better. ---next question: Who are you? Do you get any money for this??? I appreciate you-singular or you-plural very much!!! Thanks again for helping my whole family this way! I hope you have a wonderful day.

12-09-2004, 02:22 PM	#11 (permalink)
Crazy Registered User Join Date: Dec 2004 Posts: 8 OS: windows xp professional	and one more thing.. Hi again! Now I have another problem, in addition to the questions I just asked earlier today. The Windows XP service pack 2 won't download on my computer. It says the product key used to install Microsoft Windows may not be valid. I went to www.howtotell.com but it said it couldn't tell me for some reason--I forget. And then I found out that IE6 SP2 needs to have SP2 installed before I can download it. Any suggestions on these SP2 dilemmas? Thanks again.

12-09-2004, 03:29 PM	#12 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Before we go any further, let's see a new HijackThis log. We ask for this because SP2 can be very unstable especially on a system that has problems. I think I remember reading about this SP2 invalid key problem (even though it's a legit/valid XP installation). We'll get back to this when we have verified that you are clean. Just remind us of this problem. Yes, for IE SP2 to install, you need to get SP2 for XP first. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools