Tech Support banner

Status
Not open for further replies.
1 - 20 of 25 Posts

·
Registered
Joined
·
46 Posts
Discussion Starter #1
Seems like the computer is really struggling after an hour or two of browsing/working the net. Then it’s an “illegal opp” and they shut down, both IE 6.0 and NS 4.77 fail, NS 7.0 doesn’t fail. I can’t figure why things look like, even while working in MS Office, they’re slowing way down from 866 speed to like 66 mhz! Sometimes it freezes and it’s a restart, or it’s barely able to move, then a restart works for awhile.

No bad sectors, disc cleanup good, adaware ok, virus check ok (except every time I run it cleans the sobig.f worm, not the last time. Symptoms sound familiar? I’m not too technical either, but ok.

Thanks!
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
If you are having to remove sobig.f almost every reboot then, you need to goto:

www.fsecure.com

Find the downloads and download the free dos tool f-prot. You really should download this on a clean computer. Then make a bootable disk (either floppy or cd) then run a scan from a clean boot to dos by using the fprot virus software.

After everything is scanned and cleaned, maybe try a repair on Internet Explorer.

Other running software/viruses may be using the dll's used by both netscape and IE..


Let me know.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #3
Thanks Idtent,

Went to the site and looked around quite a bit, no "f-prot". What is a "clean computer"? You mean save all data and wipe out the hardrives, reload Win?
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts

·
Registered
Joined
·
46 Posts
Discussion Starter #5
Okay,

I'm "clean", and ran that program for all the sobig. as well.

Browsers still shut down and the computer starts to slow way down in doing simple functions...
 

·
Registered
Joined
·
5,955 Posts
It seems that the the basics have been covered. Before we start repairing and reinstalling, etc, I think we should look at a Hijack log.

Download Hijack This from the link below. This is a quick start page, so if you need instruction about creating, copying and pasting a log, its there. After install, create a log, copy it and paste it here.

Please don't try to fix anything. We'll take a look at it and give you some advise.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #7
Okay, Thanks!

I didn't see the Hijack link but I downloaded Hijack Blaster and nothing showed up. I upgraded NS 4.77 to 4.79. No change. It only freezes when I don't view mail content, as long as I'm looking at the headers it's stays up. However, the computer still bogs down over a short time. I Shut Down completely and walked away for 10 minutes... no change.

NS 7.0 is fine. But I'm used to the older version for email, etc... may just have to switch. Maybe this should be a thread in the Browser section?!

IE is still very unstable and illeagal opp's out. I'm getting used to restarts of the computer and programs all the time, but it's probably something right in front of my face.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #10
The following file came out in Notepad:

Logfile of HijackThis v1.97.3
Scan saved at 5:17:31 PM, on 10/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\CYB2K.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ASTART.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\SYSTEM\MOSTAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.gocybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\kirch4\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koxrjru3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koxrjru3.slt\prefs.js)
O1 - Hosts: 64.14.40.138 runonce.msn.com
O2 - BHO: (no name) - {31E27780-9C24-11D7-8A3E-00036D17C04E} - C:\WINDOWS\SYSTEM\MOZ030715S.DLL
O2 - BHO: (no name) - {31E27781-9C24-11D7-8A3E-00036D17C04E} - C:\WINDOWS\SYSTEM\WQOIRLX.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - C:\PROGRAM FILES\TOPICKS\BIN\TPBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.42625
 

·
Registered
Joined
·
5,955 Posts
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 64.14.40.138 runonce.msn.com
O2 - BHO: (no name) - {31E27780-9C24-11D7-8A3E-00036D17C04E} - C:\WINDOWS\SYSTEM\MOZ030715S.DLL (WurldMedia Parasite!)
O2 - BHO: (no name) - {31E27781-9C24-11D7-8A3E-00036D17C04E} - C:\WINDOWS\SYSTEM\WQOIRLX.DLL (cannot ID, delete it)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL (known transponder)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL (OMG!)
O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - C:\PROGRAM FILES\TOPICKS\BIN\TPBAR.DLL (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

You have a number of transponders and dialers aboard, but the worst part is that you have been infected by the Coolsearch Trojan, which is probably responsible for most of your problems.

Please go to the link below. You can read a little about the Trojan. Maybe 2/3 down the page, you will find, in the text, a link to CW Shredder; Run that program.

Then, open Hijack, close all browser windows, check all of the above items and have HJT fix them Reboot

I just read that Spybot S&D is on top of this class of Trojans, so be go to the link below, download Spybot, check for updates, then scan. Have Spybot fix everything in red..

Since this was a bit complicated, I'll ask you to post another HJT log here, so we can make sure that I did not miss something.

Good hunting!
 

·
Registered
Joined
·
46 Posts
Discussion Starter #12
Thanks Vern! Here's the scan only:
CWShredder v1.21.1 scan only report

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://www.gocybersearch.com/ie/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
Infected data: http://www.gocybersearch.com/ie/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://www.gocybersearch.com/ie/
Found Hosts file: C:\WINDOWS\hosts (982 bytes, A)
Found Win.ini file: C:\WINDOWS\win.ini (9284 bytes, A)
Found line in Win.ini: run=
 

·
Registered
Joined
·
46 Posts
Discussion Starter #13
After running the Spyware cw shredder while all browsers closed:

Done!
- 0 registry values were killed
- Hostsfile was OK
- Bootconf.exe was not present
- Trusted Zone was OK
- User stylesheet was OK
- Oemsyspnp.inf was not present
- Svchost32.exe was not present
- Msspi.dll Winsock hook was not present
- Msinfo.exe was not present
- Winshow.dll BHO was not present
- MadFinder BHO was not present
- Ctfmon32.exe was not present
 

·
Registered
Joined
·
46 Posts
Discussion Starter #14
HJT log after reboot:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\kirch4\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koxrjru3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koxrjru3.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunServices: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [MSVBVM60.dll] regsvr32.exe /s C:\WINDOWS\SYSTEM\MSVBVM60.dll
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.42625

I ran the Spybot and to clean, they took me off to the webpage to buy then clean for $30. Anyway to clean on my own? Thanks Vern!
 

·
Registered
Joined
·
46 Posts
Discussion Starter #15
Spykiller results, not cleaned...

Memory scan result:
Total modules found:15
Suspicious modules found: 0

Started registry scan
====================
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--Morpheus 3.2 (remove only)--DisplayName
Adware - Brilliant Digital
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--"C:\Program Files\StreamCast\Morpheus\UninstMorph.exe"--UninstallString
Adware - Brilliant Digital
Cydoor HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FA89A7AC-EABF-4D73-B19F-0C3D858D24EF}--1--Cydoor
Adware - Cydoor
Blazing Tools Perfect Keylogger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\CB222D37B6F14D117A88000972BA5A0D--C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\udfrinst.exe--8CA7F906015C4D117A88000972BA5A0D
Spy - BlazingTools Software
ToPicks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run---C:\Program Files\ToPicks\Bin\Idhost.exe--ToPicks Starter
SpyWare/AdWare - Santa Monica Networks
BDE HKEY_LOCAL_MACHINE\Software\Morpheus--C:\Program Files\StreamCast\Morpheus--Install_Dir
Adware - Brilliant Digital
BDE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run---"C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min--Morpheus
Adware - Brilliant Digital
Alexa HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping--8192--{c95fe080-8f5d-11d2-a20b-00aa003c157a}
SpyWare/Adware - Alexa
Registry scan result:
Suspicious keys found: 8

Started folder scan
====================
BDE C:\WINDOWS\SYSTEM\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Adware - Brilliant Digital

Adware C:\WINDOWS\TEMP\Adware
Adware - Adware


Folder scan result:
Folder processed: 0
Suspicious folders found: 2

Started file scan
====================
Gator C:\WINDOWS\GatorPdpSetup.log
Adware - Gator

Transponder C:\WINDOWS\BI.DLL
Adware - Transponder

SideStep C:\WINDOWS\SbCIe0261.dll
SpyWare - SideStep

iGetNet C:\WINDOWS\SYSTEM\RSP001.DLL
Spy - iGetNet Inc.

iGetNet C:\WINDOWS\SYSTEM\Update_com.DLL
Spy - iGetNet Inc.

POP Apropos Media C:\WINDOWS\SYSTEM\popfil.dll
SpyWare - Apropos Media

ShopAtHomeSelect C:\WINDOWS\SYSTEM\SahAgent.exe
SpyWare/AdWare - ShopAtHome

FavoriteMan/Td1 C:\WINDOWS\SYSTEM\td1.dll
Adware - FavoriteMan

WurldMedia C:\WINDOWS\SYSTEM\mo030414s.dll
Adware - WurldMedia

WurldMedia C:\WINDOWS\SYSTEM\moz030715s.dll
Adware - WurldMedia

Transponder C:\WINDOWS\TEMP\bi.dll
Adware - Transponder

ShopAtHomeSelect C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
SpyWare/AdWare - ShopAtHome

POP Apropos Media C:\Program Files\POP\pophook3.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\pop205.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\PopSrv205.exe
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\Netscape\Communicator\Program\AIM\PopupShim.dll
SpyWare - Apropos Media

Transponder C:\Program Files\ClearSearch\BI.DLL
Adware - Transponder

ShopNav C:\Program Files\Srng\SrngHelper.exe
SpyWare - Srng.net

SC Bar C:\Program Files\scbar\v2\scbar.dll
SpyWare - SC Bar


File scan result:
Suspicious files found: 19

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 8
Suspicious folders found: 2
Suspicious files found: 19
====================

Components ignored:0
Total components found:29
 

·
Registered
Joined
·
5,955 Posts
kirch said:
Thanks Vern! Here's the scan only:
CWShredder v1.21.1 scan only report

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://www.gocybersearch.com/ie/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
Infected data: http://www.gocybersearch.com/ie/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://www.gocybersearch.com/ie/
Found Hosts file: C:\WINDOWS\hosts (982 bytes, A)
Found Win.ini file: C:\WINDOWS\win.ini (9284 bytes, A)
Found line in Win.ini: run=
Have CW Shredder get rid of them all. I will check your HJT log.
 

·
Registered
Joined
·
5,955 Posts
kirch said:
Spykiller results, not cleaned...

Memory scan result:
Total modules found:15
Suspicious modules found: 0

Started registry scan
====================
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--Morpheus 3.2 (remove only)--DisplayName
Adware - Brilliant Digital
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--"C:\Program Files\StreamCast\Morpheus\UninstMorph.exe"--UninstallString
Adware - Brilliant Digital
Cydoor HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FA89A7AC-EABF-4D73-B19F-0C3D858D24EF}--1--Cydoor
Adware - Cydoor
Blazing Tools Perfect Keylogger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\CB222D37B6F14D117A88000972BA5A0D--C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\udfrinst.exe--8CA7F906015C4D117A88000972BA5A0D
Spy - BlazingTools Software
ToPicks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run---C:\Program Files\ToPicks\Bin\Idhost.exe--ToPicks Starter
SpyWare/AdWare - Santa Monica Networks
BDE HKEY_LOCAL_MACHINE\Software\Morpheus--C:\Program Files\StreamCast\Morpheus--Install_Dir
Adware - Brilliant Digital
BDE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run---"C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min--Morpheus
Adware - Brilliant Digital
Alexa HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping--8192--{c95fe080-8f5d-11d2-a20b-00aa003c157a}
SpyWare/Adware - Alexa
Registry scan result:
Suspicious keys found: 8

Started folder scan
====================
BDE C:\WINDOWS\SYSTEM\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Adware - Brilliant Digital

Adware C:\WINDOWS\TEMP\Adware
Adware - Adware


Folder scan result:
Folder processed: 0
Suspicious folders found: 2

Started file scan
====================
Gator C:\WINDOWS\GatorPdpSetup.log
Adware - Gator

Transponder C:\WINDOWS\BI.DLL
Adware - Transponder

SideStep C:\WINDOWS\SbCIe0261.dll
SpyWare - SideStep

iGetNet C:\WINDOWS\SYSTEM\RSP001.DLL
Spy - iGetNet Inc.

iGetNet C:\WINDOWS\SYSTEM\Update_com.DLL
Spy - iGetNet Inc.

POP Apropos Media C:\WINDOWS\SYSTEM\popfil.dll
SpyWare - Apropos Media

ShopAtHomeSelect C:\WINDOWS\SYSTEM\SahAgent.exe
SpyWare/AdWare - ShopAtHome

FavoriteMan/Td1 C:\WINDOWS\SYSTEM\td1.dll
Adware - FavoriteMan

WurldMedia C:\WINDOWS\SYSTEM\mo030414s.dll
Adware - WurldMedia

WurldMedia C:\WINDOWS\SYSTEM\moz030715s.dll
Adware - WurldMedia

Transponder C:\WINDOWS\TEMP\bi.dll
Adware - Transponder

ShopAtHomeSelect C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
SpyWare/AdWare - ShopAtHome

POP Apropos Media C:\Program Files\POP\pophook3.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\pop205.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\PopSrv205.exe
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\Netscape\Communicator\Program\AIM\PopupShim.dll
SpyWare - Apropos Media

Transponder C:\Program Files\ClearSearch\BI.DLL
Adware - Transponder

ShopNav C:\Program Files\Srng\SrngHelper.exe
SpyWare - Srng.net

SC Bar C:\Program Files\scbar\v2\scbar.dll
SpyWare - SC Bar


File scan result:
Suspicious files found: 19

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 8
Suspicious folders found: 2
Suspicious files found: 19
====================

Components ignored:0
Total components found:29
I got two programs messed up. Have this program clean up that mess (all of it).
 

·
Registered
Joined
·
5,955 Posts
"I ran the Spybot and to clean, they took me off to the webpage to buy then clean for $30. Anyway to clean on my own? Thanks Vern!"

You were Hijacked!

Have Spykiller and CW Shredder do their things. After that, run an HJT lo, and if you see either of the below entries, close all browser and explorer windows, check the entries, tell HJT to fix them, then reboot. There are the entries:

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL (Hijacker!)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun (Troj/Opwin-11)

Then find the program or folder C:\WINDOWS\scanregw.exe and delete it.

Post a new log, so we can try to make sure that there is not another hijacker that will get you when you try to download Spybot.

I know that this is complicated, but you are seriously infected.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #19
Okay,

I deleted the 3 files you showed from another run of HJT.

CWS found nothing but the same as above.

I ran Spykiller which gave me this log:
Memory scan result:
Total modules found:15
Suspicious modules found: 0

Started registry scan
====================
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--Morpheus 3.2 (remove only)--DisplayName
Adware - Brilliant Digital
BDE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Morpheus--"C:\Program Files\StreamCast\Morpheus\UninstMorph.exe"--UninstallString
Adware - Brilliant Digital
Cydoor HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FA89A7AC-EABF-4D73-B19F-0C3D858D24EF}--1--Cydoor
Adware - Cydoor
Blazing Tools Perfect Keylogger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\CB222D37B6F14D117A88000972BA5A0D--C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\udfrinst.exe--8CA7F906015C4D117A88000972BA5A0D
Spy - BlazingTools Software
ToPicks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run---C:\Program Files\ToPicks\Bin\Idhost.exe--ToPicks Starter
SpyWare/AdWare - Santa Monica Networks
BDE HKEY_LOCAL_MACHINE\Software\Morpheus--C:\Program Files\StreamCast\Morpheus--Install_Dir
Adware - Brilliant Digital
BDE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run---"C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min--Morpheus
Adware - Brilliant Digital
Alexa HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping--8192--{c95fe080-8f5d-11d2-a20b-00aa003c157a}
SpyWare/Adware - Alexa
Registry scan result:
Suspicious keys found: 8

Started folder scan
====================
BDE C:\WINDOWS\SYSTEM\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Adware - Brilliant Digital

Adware C:\WINDOWS\TEMP\Adware
Adware - Adware


Folder scan result:
Folder processed: 0
Suspicious folders found: 2

Started file scan
====================
Gator C:\WINDOWS\GatorPdpSetup.log
Adware - Gator

Transponder C:\WINDOWS\BI.DLL
Adware - Transponder

SideStep C:\WINDOWS\SbCIe0261.dll
SpyWare - SideStep

iGetNet C:\WINDOWS\SYSTEM\RSP001.DLL
Spy - iGetNet Inc.

iGetNet C:\WINDOWS\SYSTEM\Update_com.DLL
Spy - iGetNet Inc.

POP Apropos Media C:\WINDOWS\SYSTEM\popfil.dll
SpyWare - Apropos Media

ShopAtHomeSelect C:\WINDOWS\SYSTEM\SahAgent.exe
SpyWare/AdWare - ShopAtHome

FavoriteMan/Td1 C:\WINDOWS\SYSTEM\td1.dll
Adware - FavoriteMan

WurldMedia C:\WINDOWS\SYSTEM\mo030414s.dll
Adware - WurldMedia

Transponder C:\WINDOWS\TEMP\bi.dll
Adware - Transponder

ShopAtHomeSelect C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
SpyWare/AdWare - ShopAtHome

POP Apropos Media C:\Program Files\POP\pophook3.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\pop205.dll
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\POP\PopSrv205.exe
SpyWare - Apropos Media

POP Apropos Media C:\Program Files\Netscape\Communicator\Program\AIM\PopupShim.dll
SpyWare - Apropos Media

Transponder C:\Program Files\ClearSearch\BI.DLL
Adware - Transponder

ShopNav C:\Program Files\Srng\SrngHelper.exe
SpyWare - Srng.net

SC Bar C:\Program Files\scbar\v2\scbar.dll
SpyWare - SC Bar


File scan result:
Suspicious files found: 18

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 8
Suspicious folders found: 2
Suspicious files found: 18
====================

Components ignored:0
Total components found:28

To clean, I was whisked away to this site:
http://www.spykiller.com/secureorder.asp?spys=28
where it says:
"28 SpyWare and AdWare parasite(s) on your computer right now!

WARNING: You need to unlock SpyKiller by ordering below to
clean your system of SpyWare now!

Buy SpyKiller 2003 now for today's special offer price of only $39.95!

This is $20.00 off the retail price!"

Don't worry, I am far more persistent than all this! Thanks Again,
 

·
Registered
Joined
·
46 Posts
Discussion Starter #20
Ran Spybot S & D 1.2

Cleaned out serveal things, don't have a log of that.

"150 bad products are now blocked"

This may be the ticket!!
 
1 - 20 of 25 Posts
Status
Not open for further replies.
Top