0

Crunchie, or anyone else who can help,

Further to my earlier post, here is a copy of my scanlog from HJT. I am pretty sure that my machine is totally filled with s**t and I would like to remove as much of it as possible, but mainly this hotoffers lark. Trust you will tell me what to do from here. Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 21:51:18, on 11/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\MSOFFICE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\DRDWS.EXE
C:\PROGRAM FILES\180SOLUTIONS\SAIS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\STOADDR.EXE
C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\UKQQ\UKQQM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\DESKTOP\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SU1111FKA.EXE
C:\WINDOWS\B218769200\BUILD2.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\PRIVATE-ZONE.EXE
C:\WINDOWS\SYSTEM\DLOAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vtmikuxkajyrkhcr.com/kD5cSLlJ7UWUE2xKGvMdMRkoatA6ADpbBNSm5eyXmyRIVRwHGPp_CYUJFKrntDyD.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: load=PTSNOOP.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {78B07F7C-A43E-B730-88CB-BF820E34BBC9} - C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR\WAVEWIPE.EXE
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Netline User] c:\windows\netchk.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderosqJ1IKjNIXO] "C:\WINDOWS\SYSTEM\SRWPP.EXE"
O4 - HKLM\..\Run: [oF9f36X] SRWPP.EXE
O4 - HKLM\..\Run: [LinkDumbGreatManager] C:\WINDOWS\Application Data\axis bone link dumb\eachsixth.exe
O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PmwsMhe4] C:\DRDWS.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [gzazinef] C:\WINDOWS\gzazinef.exe
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\Run: [PmwsMh$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe] C:\DRDWS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ZoqpRWbpW] STOADDR.EXE
O4 - HKCU\..\Run: [ford lite] C:\WINDOWS\APPLIC~1\DVDLOCKS\Gram Once.exe
O4 - HKCU\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe
O4 - HKCU\..\Run: [UKQQ] C:\PROGRAM FILES\COMMON FILES\UKQQ\UKQQM.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\600CU\UNINST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Desktop\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_211/webolr/OCX/FlashAX.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

5
Contributors
28
Replies
29
Views
12 Years
Discussion Span
Last Post by Weeian
0

Go
Here
and Get Trojan-Hunter Fully working trial! and run a full scan
,,,,,,,,,,,,,,,,,,,,,
To remove trojans there is a tool which needs to be downloaded and run.

1. Please download Stinger and save it to your desktop

2. Double-click on the stinger.exe file and open the tool

3. Choose your entire hard drive to scan.

4. Choose Scan Now

5. Stinger will fix anything that it finds

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

STINGER

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Reboot to SAFE mode to delete files
How to start computer in safe mode

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan Please do an online scan, 2 would be better,

Micro World http://www.mwti.net/antivirus/free_utilities.asp
Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp

Make sure that you choose "fix" or "clean".

.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
If needed !!!!!!
Reboot and post a new HiJackThis log. You need an updated version of Hijackthis which you can get from HERE

Then post a HJT log as a reply to this topic.

0

JHC thats a lotta downloading and scanning man! Do I haev a lotta crap on this computer?? What have I got on there?? With a dial up connection that'll take forever to do, however I'll give it a go, thanks for your help dude. BTW if theres a quicker way, I'd be glad to hear it!

0

Yep, you got a lot of nasties there. The main one being (perhaps) the Bube infection.

Please go here for the instructions on how to remove the Bube.d (aka Win32.Beavis) Removal [isrvs] infection.
Once done, repost a new log here and we will finish off the clean up.

This, so far, is the only available fix.

0

Thanks again Crunchie, must admit, havn't a clue what a bube infection is but I don't want one!! I'm at work again so I'll give it a go when I get home. I got as far as running and cleaning with Trojan Hunter last night, seemed to pick out and clean quite a lot of nasties so I'm gonna run TH again tonight see what comes up and then try this Bube thingy. Should I post a HJT log after that??

0

Yes, you need to post another hijackthis log. Try to do as much of what Caperjack advised too.
Don't forget that you need to reboot, then scan with hijackthis.

Please go here and have this file scanned.

C:\WINDOWS\SYSTEM\msoffice.exe

Post the results back please.

Try the Symantec's fix tool to remove the Ist bar.

Should keep you busy :mrgreen:

PS. Oh, get service pack one for Internet Explorer too.

0

Wohhhhhhhhh, the list gets bigger lol

Thanks, I'll do as much as I can tonight, reboot, and post a HJT log for attention tomorrow.

0

Guys, heres my log from Jotti's malware, Im about to run the bube remover so fibgers crossed, after that its back to caperjacks extensive list lol, any further suggestions? dare i ask lol

------------------------------------------------------------------

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: msoffice.exe
Status: INFECTED/MALWARE
Packers detected: -
Scanner results
AntiVir Found W32/Bube.K
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found W32.Bube.K
Dr.Web Found Win32.Beavis.5632
F-Prot Antivirus Found nothing
Fortinet Found W32/Bube.K
Kaspersky Anti-Virus Found Virus.Win32.Bube.k
mks_vir Found nothing
NOD32 Found Win32/Bube.K
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* Creating several executable files on hard-drive.
* File length: 5632 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\sample.exe.
* Creates file C:\WINDOWS\SYSTEM\msoffice.exe.
* Creates file .\commands.ini.

[ Changes to registry ]
* Creates value "WebRun"="C:\WINDOWS\SYSTEM\sample.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "WebRun"="C:\WINDOWS\SYSTEM\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "FirewallDisableNotify"="" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "UpdatesDisableNotify"="" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusDisableNotify"="" in key "HKLM\Software\Microsoft\Security Center".
* Sets value "Cartman"="1
VBA32 Found Unknown.Win32Virus (probable variant)

0

OK so ive got a window after downloading the 'hoster' file that wants me to create a hosts file?? I dont know what to do with this!

0

You should already have a hosts file by default on your pc. Is it asking you to back it up? The Hoster is a legit tool and should do no harm to your pc. I have it on mine. It may be asking to reset your hosts file which will simply restore it to the default. If you are using any form of 3rd party hosts list, you will need to re-input it/them after resetting with the Hoster.

0

Crunchie, it is a large window with loads of options like 'Make hosts read only' 'Add to hosts file' 'Remove from hosts file' 'Restore Microsoft original' etc etc.What do I do?

I have now run stinger, heres what I got..

McAfee AVERT Stinger Version 2.5.3 built on Mar 1 2005

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Mar 1 2005.

Ready to scan for 53 viruses, trojans and variants.

Scan initiated on Tue Apr 12 22:11:51 2005

Number of clean files: 123193

Does this look right, doesn't seem to have picked anything up??

0

Have just reboted and ran another HJT scan, here it is. Am I any better (or worse) off for the few scans performed so far? Have I cleaned anything out? I still have hotoffers hijacker as my homepage!!

Logfile of HijackThis v1.99.1
Scan saved at 23:30:30, on 12/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\MSOFFICE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\DRDWS.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE
C:\WINDOWS\DESKTOP\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hhxmtklyikipowgonveen.net/kD5cSLlJ7UWUE2xKGvMdMRkoatA6ADpbBNSm5eyXmyQVyEjZpIS534UJFKrntDyD.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: load=PTSNOOP.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {78B07F7C-A43E-B730-88CB-BF820E34BBC9} - C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR\WAVEWIPE.EXE
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Netline User] c:\windows\netchk.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderosqJ1IKjNIXO] "C:\WINDOWS\SYSTEM\SRWPP.EXE"
O4 - HKLM\..\Run: [oF9f36X] SRWPP.EXE
O4 - HKLM\..\Run: [LinkDumbGreatManager] C:\WINDOWS\Application Data\axis bone link dumb\eachsixth.exe
O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PmwsMhe4] C:\DRDWS.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [gzazinef] C:\WINDOWS\gzazinef.exe
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\Run: [PmwsMh$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe] C:\DRDWS.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ZoqpRWbpW] STOADDR.EXE
O4 - HKCU\..\Run: [ford lite] C:\WINDOWS\APPLIC~1\DVDLOCKS\Gram Once.exe
O4 - HKCU\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe
O4 - HKCU\..\Run: [UKQQ] C:\PROGRAM FILES\COMMON FILES\UKQQ\UKQQM.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\600CU\UNINST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Desktop\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_211/webolr/OCX/FlashAX.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

0

That still looks pretty ugly. :(

Did you have a chance to follow (exactly and completely) the bube infection removal procedures in the link that crunchie gave earlier?

If not, you need to do that now. While you definitely have other "unwanted guests" on your system, the bube infection is probably the most persistent of all, and it should be dealt with first.

0

Thanks DMR, no I havn't ran the Bube remover yet, will be doing that tonite. I have so many programs and scans to run that it takes forever with dial up to download them and run them etc so I can only do a couple every night. Hovever, I note what you say about the bube infection so I'll give that immediate attention. Thanks for your help.

0

Dial-up eh? Yes, that can make things more tedious, but try to bear with us. Unfortunately, some of these infections are very difficult to remove, hence the need use multiple utilities in the cleaning process.

Do the bube removal process when you get a chance and give us a fresh log after that. When you do go through the removal steps, make sure to run both programs (Kaspersky's and Microsoft's) mentioned in the article crunchie linked to; neither one alone seems to fully take care of the infection.

0

So heres the next problem guys, I cant download the KVS 5.0 to get the bube infection due to the fact that i also seem to have a dialer hijacker on here. KVS gets to 34% dowload then the computer just starts to dial up on its own which of course knocks me offline and stops my download. The download time for KVS with dial up is about 1 hour and 10 minutes!!! Ive tried twice and both times at 34% dowloaded the dialer goes off on its own. I'm pretty sure that nothing can come of the 'phantom' dialer as I have a bar on premium rate numbers being dialed on my line but its still stopping me from downloading the KVS thing to take care of this bube infection. Any ideas??? I'm now just about at my wits end with this crap and almost ready to just chuck the machine in the bin!

0

That being the case I think you should show us another hijackthis log and we will attempt to clean up what we can. You can then have another go at the download.

0

...and we will attempt to clean up what we can...

*Groan* Just give me a moment to remember where I put that pair of surgical gloves first, OK? :D

0

Thanks Crunchie and DMR, this could get messy then lol,

I have run Mwav but my computer froze as I was trying to post the result of the scan. Basically there were viruses everywhere, 130 approximately from memory. I’ll run it again and post the results.

So far I have run Trojan hunter and stinger. I was thinking of moving on to the next step and deleting all my temp files, what do you think? Trojan Hunter seems very useful, it keeps popping up with viruses to clean.

Anyway, heres a new HJT log. I await your instructions from here to clean this thing up a bit then try the KVS download to remove the dreaded Bube! A sincere thanks to you and all who have given your time to help this far, its very much appreciated and never taken for granted. Thank you all.

Logfile of HijackThis v1.99.1
Scan saved at 22:38:10, on 13/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\MSOFFICE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\DRDWS.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hzimiaeqdiepbmogecdfa.com/kD5cSLlJ7UWUE2xKGvMdMRkoatA6ADpbBNSm5eyXmyTn6/XsFaSPYYUJFKrntDyD.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {78B07F7C-A43E-B730-88CB-BF820E34BBC9} - C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR\WAVEWIPE.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Netline User] c:\windows\netchk.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LinkDumbGreatManager] C:\WINDOWS\Application Data\axis bone link dumb\eachsixth.exe
O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [PmwsMhe4] C:\DRDWS.EXE
O4 - HKLM\..\Run: [PmwsMh$v ùõš/‚²‘Æ ßfC:\Program Files\ISTsvc\istsvc.exe] C:\DRDWS.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ford lite] C:\WINDOWS\APPLIC~1\DVDLOCKS\Gram Once.exe
O4 - HKCU\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\600CU\UNINST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Desktop\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_211/webolr/OCX/FlashAX.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

0

Alright, here we go. And yes- it will be messy, especially given that you're on dial-up and the "nasties" are mucking with your ability to download.

First of all- Do you have access to a (non-infected) computer with a faster Net connection and the ability to burn a CD? If so, we can give you the download links for the utilities that might be helpful in your case and you could install them on the infected machine that way.

Whether or not you do, let's start with some of manual removal and see where that gets us. Please print out the following instructions and then physically disconnect your phone/modem line from the computer during the course of this unless we specifically ask you to go online.


1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hzimiaeqdiepbmogecdfa.co...UJFKrntDyD.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {78B07F7C-A43E-B730-88CB-BF820E34BBC9} - C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR\WAVEWIPE.EXE
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [Netline User] c:\windows\netchk.exe
O4 - HKLM\..\Run: [LinkDumbGreatManager] C:\WINDOWS\Application Data\axis bone link dumb\eachsixth.exe
O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [PmwsMhe4] C:\DRDWS.EXE
O4 - HKLM\..\Run: [PmwsMh$v ùõš/‚²‘Æ ßfC:\Program Files\ISTsvc\istsvc.exe] C:\DRDWS.EXE
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ford lite] C:\WINDOWS\APPLIC~1\DVDLOCKS\Gram Once.exe
O4 - HKCU\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: DLHelperEXE.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhe...n7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/m...OCX/FlashAX.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/...erInstaller.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and under View-> Folder Options menu, select "show all files".

- Find and delete the following files:
C:\WINDOWS\SYSTEM\msoffice.exe
c:\windows\netchk.exe
C:\WINDOWS\SYSTEM\WEB.EXE
C:\DRDWS.EXE
DLHelperEXE.exe

- Find and delete the following folders entirely:
C:\Program Files\CxtPls
C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR
C:\WINDOWS\Application Data\axis bone link dumb
C:\PROGRAM FILES\MYWEBSearch
C:\Program Files\ISTsvc
C:\WINDOWS\APPLICATION DATA\DVDLOCKS
C:\Program Files\royalvegasMPP
C:\Program Files\riverbelleMPP

- Locate and delete the contents of any/all of the folders with the following names (do not delete the folderes themselves though, only their contents):

1. Temp
2. Cookies
3. History
4. Temporary Internet Files


Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


2. Reboot normally, run HijackThis again, and post the new log.

0

Thanks DMR, I'll give this a go tonight when I get home from work.

I have access to a non infected machine in work with a broadband connection although dont know if I can burn a CD on it, will check that out.

I'll have HJT fix the above and then post my new log for further instructions.

0

OK guys, I have deleted as advised. I couldn’t find c:\windows\netchk.exe, and DLHelperEXE.exe, can u point me in the right direction? Also when deleting my temp files and cookies I couldn’t delete Index.dat as it just wouldn’t delete! Should I delete the folder that it is in? Heres my latest HJT log. What next??

Logfile of HijackThis v1.99.1
Scan saved at 19:45:47, on 14/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\600CU\UNINST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Desktop\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE

BTW (fingers crossed) this seems to have eradicated the hotoffers problem. I'll have to wait til moro nite to try the KVS DL for Bube as its late now (11pm here) to start, but I take it that should be my next port of call??

0

Please go here and have this file scanned.

c:\program files\internet explorer\connection wizard\netcheck.exe

Post back the results please.

You should try the Bube removal again too.

0

1.

...when deleting my temp files and cookies I couldn’t delete Index.dat as it just wouldn’t delete! Should I delete the folder that it is in?

Note what I mentioned earlier regarding the index.dat (and desktop.ini) file:

Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

2.

BTW (fingers crossed) this seems to have eradicated the hotoffers problem.

Yes, but you are still infected with other nasties; see below:


3.

I'll have to wait til moro nite to try the KVS DL for Bube as its late now (11pm here) to start, but I take it that should be my next port of call??

Absolutely; do that as soon as you can. Entries in your last log still do indicate the bube.d infection. Also submit the netcheck.exe file for scanning as crunchie adivsed and give us the feedback on that once you've had a chance to do so.

0

Crunchie, heres the result from the jotti's scan;

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: netcheck.exe
Status: OK
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


DMR, I'll have a look back and do as advised on those two files that wouldn't delete. Still cant download that KVS program for Bube removal!! The download just keeps gettin interupted and a message that 'connection to the server was reset' It happened when I was trying to download an online poker program too though so doesn't seem to be rstricted to the KVS program. I'm going to have to try the other suggestion, ie downloading and saving it in work then putting it onto my computer that way.

0

Crunchie & DMR,

If your there, I need help again. I haven't forgotton about this Bube thing, in fact far from it. Been trying to remove since my last post!!

I was able to DL it in work on a faster connection, it DL'd in about 2 minutes compared to the dial up 1hr 20mins!! So I DL'd it to a friends USB 2.0 flash drive which I assume makes sense to you!

When I try to run it on my computer it asks me to purchase a licence key. I cant get past this point. It is definately the trial version I DL'd as I've done it several times now and every time it ask me to purchase the licence key before I can continue, suggestive of course that this isn't the trial version! I have DL'd it from the 'downloads' 'free trials' section of the Kaspersky site so its gotta be the right one. I had of course assumed that there would be no purchase required with a trial version. Is this correct???

I'm at my wits end here with this as I can't DL anything on this computer withough the conenction to the server being 'reset' which I assume is the doing of the bube virus on self survival mode. I cant DL Kaspersky or a poker romo that I recently tried, the connection is 'reset' every time midway through the DL.

Any ideas on the 'licence key; thing on Kaspersky???????

0

I noticed HotOffers in your log, so I thought I'd make a suggestion:

Get the Pocket Killbox from here (if you don't already have it -- I haven't read the entire thread):
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any of these files could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally, delete any unwanted icons from your desktop, and empty your Recycle Bin.

Go to Windows Update and get the Critical Updates for your system ASAP.

Update your antivirus program and do a full system scan.

0

Also, try to get hold of FireFox browser, install it on your PC and attempt to download Kaspersky with FF.

0

Thanks guys, Crunchie, as I said, I aready tried the Kaspersky program but the problem is that the free trial version is asking me to purchase a registry key???

I'm sure that it is the free trial version that I am using but dont know what the whole registry key thing is about and can't understand why I would be asked to purchase a registry key on a 'free' trial version program!!! Any thoughts??

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.