No internet due to Spyware

My mothers AMD tower always had problems (mostly because she downloaded practically everything she saw) but recently, aside from all the hideous pop up ads and unwanted programs invading her privacy and downloading themselves onto her computer, her internet has gone completely offline. The CICERO tower was recently brought back from Future shops technical center because the technician informed my mother that the cause of her problem was overwhelming spyware.

When I heard of this I told her to give me the system as I foolishly assumed it would be as easy as getting rid of all the spyware that had attempted to infect my newly purchased AMD XP computer.

I installed my two favorite applications onto her system. BPS Spyware Remover ( http://www.Bulletproofsoft.com ) and Ad-Aware 6.0 ( http://lavasoft.element5.com/support/download/ )

After detecting and eliminating countless spyware infected registry keys, memory processes, files folders and literal programs, I rebooted the computer only to be bombarded upon startup with RUNDLL error messages. The messages are provided below

-Error could not execute main: The system cannot find the file specified (this one puzzled me the most)
-Error loading C:/PROGRA~1/NEWDOT~1/NEWDOT~2.DLL
-Error loading C:/WINDOWS/SYSTEM32/stlbdist.dll The specified module could not be
found
-Error loading C:/WINDOWS/bsx5.dll The specified module could not be found
-Error loading C:/WINDOWS/bs2.dll The specified module could not be found

Now I remember a time when I removed a spyware component that activated a RUNDLL error when starting my Windows XP; "missing bridge.dll" and on this forums http://www.daniweb.com/techtalkforums/member.php?userid=2466 provided the solution shown here http://www.daniweb.com/techtalkforums/showthread.php?t=5591&goto=nextnewest

Can these RUNDLL problems be solved in a similar way? If so can someone show me how?

Also, after browsing a while on these forums I discovered that the cause of my mother’s internet problem could be directly related to possible spyware. That certain spyware component can reconfigure the TCP/IP protocol which would effectively screw up the internet settings. What can I do so that I can get internet back on the system; fix the RUNDLL error messages without having to reformat the computer? (She hasn’t even made her recovery discs which I think could cause some problems with the computer in its current condition)

Also, just as an FYI, I checked the TCP/IP protocol settings constantly making sure everything was checked to auto detect (I'm running Shaw cable) and I checked the Internet LAN settings dozens of times. All in all im pretty confident when I say that our LAN internet settings are configured properly. We also run our internet through a Linksys router, and our two other computers run just fine off of it. So the internet connection is obviously still there.

-Computer Model-
Specs: AMD Athlon XP 2200 (1.8GH) 225mb RAM, 80 GB hard drive)
OS: XP 5.1 (Build 2600) -I discovered this information off of a virus removal program called Extendia Anti-Virus, for some reason I couldn’t access the system properties menu.-
Manufacturer: CICERO

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

First of all we have to remove Newdotnet, either from add/remove programs, or by going here. & scrolling down to the uninstall tool.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive).
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

Ok thanks allot, i'll get on that right away and post the results

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

Sorry for the lateness of my reply, I was away for the week and was unable to work on my mothers computer. Anyways I did those scans on her system but was unable to update the packages as her internet was being blocked somehow (by the spy ware component I imagine) So I had to scan them without the updates

I managed to delete around the sum of 500 spy ware components, Registry keys and memory processes. After performing Spybot and Hijack, this is the Log I recovered. I have deleted nothing as per your instructions.

Logfile of HijackThis v1.98.2
Scan saved at 11:05:05 PM, on 07/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\eXtendia AntiVirus AVK Pro\AVKService.exe
C:\Program Files\eXtendia AntiVirus AVK Pro\AVKWCtl.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\windows\System32\S3tray2.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\windows\mHotkey.exe
C:\windows\System32\carpserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\System32\ctfmon.exe
C:\WINDOWS\System32\Oqrh8N.exe
C:\WINDOWS\System32\Oqrh8N.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E60CFC77-C277-4C7B-BCA4-0F2AA36D9282} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - (no file)
O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\PlsO0A54.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Program Files\eXtendia AntiVirus AVK Pro\AVKPOP.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe
O4 - HKCU\..\Run: [Cuse] C:\Documents and Settings\Owner\Application Data\soeo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Shaw Help - {3B163087-29DF-46DE-A556-348DBF497A74} - http://support.shaw.home.com (file missing) (HKCU)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

I have gained internet access but I would still prefer to remove those RUNDLL error messages I get on startup. Thanks

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

Download the PeperFix.exe tool from here:

http://downloads.subratam.org/PeperFix.exe

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {E60CFC77-C277-4C7B-BCA4-0F2AA36D9282} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - (no file)

O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\PlsO0A54.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe
O4 - HKCU\..\Run: [Cuse] C:\Documents and Settings\Owner\Application Data\soeo.exe

O9 - Extra button: Shaw Help - {3B163087-29DF-46DE-A556-348DBF497A74} - http://support.shaw.home.com (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\windows\System32\PlsO0A54.exe-file

C:\PROGRA~1\SYSTEM~1-folder (systemsoap Pro I believe. Cannot see the full name)
C:\Documents and Settings\Owner\Application Data\soeo.exe

Still in safe mode do the following;
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

You also need to disable the following;
C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe

I am not familiar with the program, so unfortunately am not sure how to go about it apart from opening the program & configuring it to not run the help express.

Post another log when done please.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

Download the PeperFix.exe tool from here:

http://downloads.subratam.org/PeperFix.exe

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {E60CFC77-C277-4C7B-BCA4-0F2AA36D9282} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - (no file)

O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\PlsO0A54.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe
O4 - HKCU\..\Run: [Cuse] C:\Documents and Settings\Owner\Application Data\soeo.exe

O9 - Extra button: Shaw Help - {3B163087-29DF-46DE-A556-348DBF497A74} - http://support.shaw.home.com (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\windows\System32\PlsO0A54.exe-file

C:\PROGRA~1\SYSTEM~1-folder (systemsoap Pro I believe. Cannot see the full name)
C:\Documents and Settings\Owner\Application Data\soeo.exe

Still in safe mode do the following;
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

You also need to disable the following;
C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe

I am not familiar with the program, so unfortunately am not sure how to go about it apart from opening the program & configuring it to not run the help express.

Post another log when done please.

The http://downloads.subratam.org/PeperFix.exe addy seems to be a broken link. Is the server having some down time or have you accidentally given me the wrong url? ^_^;;

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

Sorry for this, I cant seem to find the *edit* post tab anywhere for my last post so i'll be brief.

I figure this might all be resolved by the program you intend for me to download and run off of her computer but I figure I mightest well ask anyways to be informed (seeing how I provided a visual aid anyways)

http://eclipse-manga.fateback.com/Main%20Pages/crapy.htm

The two pictures you see are the files I seem to be unable to remove from her hard disk. The second showing fewer files then the first, but also showing the same few files that wouldnt be removed. Can you explain why adware cant remove them? And her computer is riddled with popups that open up after a delay of maybe 4 minutes and programs that install desktop shortcuts on her desktop. Is this a direct or indirect result of these spyware components? Arent popup spyware components the bare basic and should have been removed on one of the first series of indepth scans I did?

Should I assume that this Peperfix.exe tool would remove these components and popup adds as well or am I getting to ahead of myself? Sorry but I figure I mightest well ask seeing how the peperfix.exe tool URL isnt responding (hopefully only for now)

Any advice is much appreciated, I like being informed on stuff ^,^ if im getting to ahead of myself just let me know and i'll shutup and listen to your instructions. :)

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

Ok back on topic, the Peperfix.exe file successfully launched and downloaded and I ran it on my mothers CICERO as per your instructions, I preformed what you told me to do and here is the result

"Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice."

I did this and I ran it twice. I am unsure of the number it detected the first time but I know the second scan said 6 files detected.

"Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {E60CFC77-C277-4C7B-BCA4-0F2AA36D9282} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - (no file)

O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\PlsO0A54.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe
O4 - HKCU\..\Run: [Cuse] C:\Documents and Settings\Owner\Application Data\soeo.exe

O9 - Extra button: Shaw Help - {3B163087-29DF-46DE-A556-348DBF497A74} - http://support.shaw.home.com (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www"

Some of the files mentioned above which you obtained from my first Hijack data log (like R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank, R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ) werent even listed any longer. I am unaware if that is a good or bad thing.

Here is the new log I obtained after fixing the files I could find that you instructed me to delete…

Logfile of HijackThis v1.98.2
Scan saved at 3:12:17 PM, on 08/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\windows\System32\S3tray2.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\windows\mHotkey.exe
C:\windows\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.omentkwswzqonck.com/AUJGu_d_JA8EW_P0Ik1TEqjGUFYEHkODoqzdtTIt2vAo9opvdxOEIQg8cznLTNn6.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\BdqFN.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [thirddata] C:\PROGRA~1\MEOWMO~1\Date Team.exe
O4 - HKLM\..\Run: [bait scr active once] C:\Documents and Settings\All Users\Application Data\Grid view bait scr\Dvd window.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

--End of Log--

Carrying on....

"I]Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\windows\System32\PlsO0A54.exe-file

C:\PROGRA~1\SYSTEM~1-folder (systemsoap Pro I believe. Cannot see the full name)
C:\Documents and Settings\Owner\Application Data\soeo.exe"

I entered into safe mode but I didn’t find any of the above files when I accessed the folders

"Still in safe mode do the following;
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies."

Done

"Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)"

It said it deleted all 19 of the listed files; however after deletion I clearly saw all 19 still in the folder. When I prompted to delete again, a window popped up claiming they were deleted but again they were visually still there. I doubt that’s supposed to happen…right?

"This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\"

Did not find anything in that temp folder that needed deletion

"Empty the Recycle Bin."

Done

"You also need to disable the following;
C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe

I am not familiar with the program, so unfortunately am not sure how to go about it apart from opening the program & configuring it to not run the help express."

It was unwittingly already uninstalled until I double clicked the application and installed it once again (doh!) I accessed MSCONFIG and disabled it from startup.

The computer runs fine now, I am no longer getting pop ups or installed software components, but that could be due to the BSP popup blocker I installed. I found out that BSP spyware is really a copyright infringed software rip off of Spybot although I’m not entirely sure if that makes BPS software then a spyware component or just illegal software. It seems to be doing an effective enough job. The computer speed has increased dramatically and yes I have already gained internet access. Is there anything that still needs to be done? If so please tell me!

Omni

Junior Poster in Training

77 posts since Jul 2004

Reputation Points: 10

Solved Threads: 1

7 Years Ago

:eek: You done a lot of typing whilst I was away :) . Probably most of your questions have already been answered. You have managed to pick up more stuff.

Please go here for Wintools removal instructions.

This next one do exactly or you could lose your internet connection!!

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "lspak.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Boot into safe mode after doing the above & close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.omentkwswzqonck.com/AUJG...Qg8cznLTNn6.asp

O4 - HKLM\..\Run: [5232ZK34FD8JGQ] C:\windows\System32\BdqFN.exe
O4 - HKLM\..\Run: [thirddata] C:\PROGRA~1\MEOWMO~1\Date Team.exe
O4 - HKLM\..\Run: [bait scr active once] C:\Documents and Settings\All Users\Application Data\Grid view bait scr\Dvd window.exe

Delete the following manually;

C:\windows\System32\BdqFN.exe-file
c:\windows\system32\lspak.dll

C:\PROGRA~1\MEOWMO~1-folder
C:\Documents and Settings\All Users\Application Data\Grid view bait scr-folder

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally. Could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://lop.com/new_uninstall.exe

Go here to download easycleaner. Install it & run it whilst in safe mode to delete those temp folder contents.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

7 Years Ago

i deleted the lspak.dll so my internet connection is gone.
any help with this plzzzz

d0mb0

Newbie Poster

1 post since Aug 2004

Reputation Points: 10

Solved Threads: 0

7 Years Ago

i deleted the lspak.dll so my internet connection is gone.
any help with this plzzzz

Download LSPfix from here
Open the program then click Finish.
If that doesn't fix it, start your own thread & give us some more info with which to work with. Operating System etc.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

This article has been dead for over three months

You