Member Avatar for groundchuck

I was recently at a friends house and while on their PC I noticed it was extremely sluggish and laden with pop ups. He's using an older gateway with a pentium 2 running 98SE with a cable internet connection. I asked him if he had ever gone through his system and removed spyware and he had no idea what that even was. I installed search and destroy for him and ran the program to remove the spyware on his system. This removed 73 different pieces of spyware. Unfortunatly now IE is showing an error where it can't locate the server. All of the lights on the modem indicate that there is a connection there so it seems to be a matter of communication between the computer/IE and the modem. I tried undoing everything but that didn't help, it just put the spyway back on his computer. Any thoughts on this? Does anyone have any experience with this happening? I did catch something about a 180 file while going through search and destroy. Something about it being removed without my knowledge and it needed to be reinstalled but low and behold it has to connect to the internet to download it and since he can't connect to the internet it doesn't matter. I also went through and installed all of the critical windows updates as well but it was working fine after that. Another note, search and destroy was not able to remove all of the spyware on the first time around so I had it run on start up after the reboot. IE worked prior to shutting down and after rebooting and removing the last of the spyware that it couldn't remove the first time around is when IE seemed to quit working. Is there something I can download and burn to disc that I can take over there to help restore the original settings and get him back online? If anyone can help and needs additional info let me know and I'll post what I can find. Thanks!

  • 6 Contributors
  • 10 Replies
  • 306 Views
  • 2 Months Discussion Span
  • Latest Post Latest Post by Calisto

Recommended Answers

All 10 Replies

Member Avatar for DMR

The "180" file is a piece of the 180 Search Assistant malware. You didn't remove all of it, so now it's "kindly" asking to be reinstalled.

SpyBot alone will not be able to fix everything. You should, at the least, also get Ad Aware. Run Ad Aware and Spybot consecutively, rebooting after each program is run. Also- Ad Aware gets updated quite frequently; make sure you have the latest reference file before actually running the program.

In terms of the Internet connection- many spyware programs can "break" your TCP/IP software, or alter your system in other ways which make browsing impossible. We need a better idea of exactly what got altered, so...

I'm moving this thread to our Security forum. In many of the other threads there you'll find instructions for downloading and running a program called HijackThis (a link to HJT is in my sig below), which can generate a log file which will contain useful info about the malware on your system. After running Ad Aware and SpyBot (have them fix everything they find), run HJT according to the instructions found in the other threads, have it scan (do not have it fix anything yet!), save the log file it generates, open the log file in Notepad, and cut-n-paste the contents of the file here.

Member Avatar for groundchuck

Thanks for the reply. I just burned both programs to disc, since I can't download them on his comp from the internet, and will post the results Friday. Hopefully his computer can be fixed. I'm pretty sure that nothing I did is responsible for the problem since all I did was install S&D and run it but his girlfriend isn't so easily convinced so this will basically save my behind if you can help me fix it.

Member Avatar for DMR

Cool- after you do the Ad Aware and SpyBot runs, make sure to run HijackThis and pull a copy of the log so that you can post it here. We'll look over the log and see if there are still traces of any Gremlins.

Member Avatar for groundchuck

If it isn't one thing it's another. I put adaware on and found an additional 44 files that I cleaned up and then went to run hijackthis only to discover he was now missing a MSVBVM60.DLL file. It took me awhile but I located a copy of the file and put it on his comp. Here is the log report.

Logfile of HijackThis v1.97.7
Scan saved at 3:27:37 PM, on 7/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\DATA CACHING\FLASHKSK.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.5424074074
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab

Member Avatar for crunchie

You should put hijackthis.exe into it's own folder for when it creates back-ups.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\PROGRAM FILES\WEB_REBATES

Reboot normally.

Member Avatar for ZWheel

Often times spyware will put hooks in to the winsock. The winsock is a part of windows that windows needs to access any kind of network. Often times after the spyware is removed the hooks remain but go nowhere. Sometimes all internet connectivity goes away, other times it just makes certain programs stop working online. Try searching Google for how to restore the winsock. Also, go in to tools->internet options->advanced and un-check "enable 3rd party browser extentions" It's usually the last thing in the list of checkboxes you can see w/out scrolling down any. Once back online, pick a more secure browser and use that instead of IE!

Member Avatar for DMR

O10 - Broken Internet access because of LSP provider 'wps.dll' missing

The above entry in your HJT log does indeed indicate a broken/corrupted TCP/IP stack, as others have suggested. The winsockxpfix program mentioned is only for Win XP, so it probably won't help you; try one of these alternative programs:

Winsock2 Fix

LSP-Fix

Member Avatar for crunchie

that dll is for sygate firewall.

Member Avatar for Calisto

There is a winsock fix on the Ad-aware site. Search under "ad-aware for new users".

Maybe this is the one 4 U??

xxx

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.