Explorer debilitated by spyware... 2

[CorpCo]

I was minding my business, trying to get some information on the net for a client when one of those annoying pop-up ads flew in my face. I was in a hurry, so not heeding my own words said not one day before to the entire office: "I don't care what it is...DON'T CLICK ON IT!", I clicked the "x" to close the ad. I was immediately bombarded with several different spyware and adware bugs. As soon as I saw this happening, I went to "add/remove programs" to get rid of the obvious problems, then ran both adaware and spybot to remove any other miscellany. It seemed I was successful, but I had a problem with Explorer from the moment it all occurred.

At first, it was just a little slow. Then it would intermittently be fine, then not respond. Now I don't think it works at all. I use the internet A LOT for my job so I had to find a remedy. That remedy was to download Firefox. Firefox is fine, but it doesn't work on everything. I want my Explorer back!

I am hoping that someone can help me with this without my having to reinstall my operating system. I am currently running XP Pro.

Anyone? I'd love to be able to fix this the easy way!

Christy

 

[aquias]

Hola and welcome!

My recommendations to you are to do the following...

1. Go to

http://housecall.trendmicro.com/

and run the virus/spyware scanner.
2. Once that's completed download the microsoft beta spyware client (by far the most complete free spyware product I've used), install and run this as well.
3. Lastly, go to

http://www.spywareinfo.com/~merijn/

and download HijackThis!.
This will give you a long and intimidating list of running programs, registry entries, and files that may or may not be valid for the operation of your system. Post a log here and we can help you diagnose what may be wrong.

 

[CorpCo]

I thought I'd start with the housecall thing...but am having an install problem. It keeps telling me that it can't find the "plugins" folder of my Netscape. I found the Mozilla Firefox folder and the plugins subfolder, but it still says it can't find the "plugins" folder and for me to please locate it. Am I missing something?

RE: Hijack this - I'm familiar with it, but it was too scary for me. I'll download it now and post the log there for you to view as soon as I get it together.

Help me with the housecall problem?

Thanks!
Christy

 

[aquias]

The problem you're having with housecall is that it only supports IE. Try using that, if you can, if not skip over it and we'll install the MS product.

 

[LloydSev]

c:\windows\downloaded installations\

Delete everything there.

c:\windows\downloaded program files\

Delete everything there.

That should at least get rid of the BHOs that are slowing your explorer down.

Computer/Network Technician
CCNA

 

[ShackDaddy]

I like to use SpyBot, especially the advanced options that let you sort through startup entries and BHOs.

http://www.safer-networking.org

Christy, if you found Aquias's post especially helpful or valuable, take the time to give him a star. That's how we reward each other's help here on Tek-Tips.

ShackDaddy

 

[CorpCo]

Well, after some work, I finally got the Explorer working enough to use the housecall scanner. It found the following, which it deemed "Non Cleanable":

TROJ DROP.A
TROJ STARTPAG.MZ
TROJ GOLID.E
TROJ GOLID.M
TROJ ISTBAR.HE
TROJ GOLID.M (AGAIN)
TROJ STARTPAG.MZ (AGAIN)
TROJ SMALL.MAR
TROJ SMALL.ACD

What can I do? Just hit the delete button?

Christy

 

[ShackDaddy]

I haven't used HouseCall, but I would just go ahead and delete if it was me.

 

[CorpCo]

I deleted them. Thanks SD!

Here is my logfile from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:35 PM, on 3/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\XeloPDFWriter\XeloPDFWriter.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\csnow\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://smbusiness.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6E6225B2-A17F-5405-433B-8A5ABE25CEC0} - C:\WINDOWS\system32\bfdwmyxx.dll
O2 - BHO: (no name) - {8C90A973-8EDE-2E5F-8AB2-5A70720C6885} - C:\WINDOWS\system32\apzytems.dll (file missing)
O2 - BHO: (no name) - {EF2C2503-5FB6-4777-1856-D87BA21789D7} - C:\WINDOWS\system32\kymeftmp.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\\RegistryController.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Xelo PDF Driver.lnk = C:\XeloPDFWriter\XeloPDFWriter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0 Professional\PDFConv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone:

http://*.hp.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

https://a248.e.akamai.net/7/248/11498/v1/www.moveonpac.org/content/qt/qtplugin.cab

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -

http://www.dced.state.ak.us/CFIDE/classes/CFJava.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) -

http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) -

http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) -

http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ROBGRAYLAW.COM
O17 - HKLM\Software\..\Telephony: DomainName = ROBGRAYLAW.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ROBGRAYLAW.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ROBGRAYLAW.COM
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\uervpa.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Miscrosoft Updates Service 5 (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Now what?

Christy

 

[deduct]

I'd get rid of the three BHO (no name).

Karl

 

[Mike2287]

here's another. although it says the file is gone

O23 - Service: Miscrosoft Updates Service 5 (MsUpdate5) - Unknown owner - C:\WINDOWS\system32\msupd5.exe (file missing)

 

[CorpCo]

Thanks Karl. Will do. Any more suggestions? Which ones would be good to add to the "ignore list"?

I think I'll try to use this thing more often. I have it on my computer at home, but never knew which to get rid of. I love this website more and more...

Christy

 

[Mike2287]

Paste your log here.

http://www.hijackthis.de/en

its a good tool for analyzing the log

 

[aquias]

Mike is correct, that is an excellent web site. Just be careful and don't take what it says as law, as it can (and will) flag files and entries, that you'll need to run certain programs.

Beyond what has already been pointed at it looks as if there isn't more to remove. How's the system running?

 

[ShackDaddy]

I'd still download and run SpyBot, and then look at the Advanced options. I see a bunch of BHO crap in your HijackThis log that you'd be able to remove easily with Spybot, especially if you look through SpyBot's Advanced Startup section.

 

[CorpCo]

Thanks everyone! I think the combination of the two links from aquias and the hijack help page from Mike were very helpful. We'll find out soon enough if I accidentally removed something I needed, but I think I scrutinized fairly closely.

To ShackDaddy: I already run Spybot about 1-2 times a week. I need to make it law that everyone in the office does it too though. If I ran into this kind of trouble...anyone in the office can. The hardest part is getting them to follow through with my instructions.

One thing to note: That housecall thing found stuff my Symantec didn't previously find and that neither Adaware nor Spybot found. I'm going to bookmark the page.

Thanks again! Stars for everyone! ;-)

Christy

 

[ShackDaddy]

One last note, Christy. I hope you have SpyBot version 1.3, since they stopped sending updates for version 1.2. I keep running into people who are running the old version and wondering why they are getting new trojans.

 

[CorpCo]

I do have 1.3. Thanks for mentioning it though!

Did I mention that I love this site?

Have a good day!

Christy

 

[aquias]

There is actually a 1.4 beta happening. My recommendation would be to move from using Spybot as your main line of defense against Spyware, to the MS product.

There are a few reasons for this.

1. The interface is easier for people to deal with and see. Mainly, if you compare it to teatimer.

2. The MS product can be setup to automatically update itself ensuring you're always at maximum protection.

3. MS is deploying a management utility for this product so you can begin to remotely deploy and, possibly, manage centrally.

Just a personal preference, I'm begining to migrate from Spybot to MS for that purpose.

 

[CorpCo]

I'm going to download and run it on my computer first...once I learn it, I'll make everyone in the office get it too. I've heard it was pretty good, but couldn't download it because of my explorer problem.

I see that you say it can be set up to automatically update itself, but can it be set up to run automatically? For example, once a week?