Junkware

[GreengoTheJeep]

I obviously have some junk running. I've run Spybot but it didn't get rid of everything. In a search for some of these remaining files (ie, belt.exe) I came across this site. I see everyone posts a log from this hijackthis program. So, I downloaded hijackthis and hopefully, someone can look this over and help. Some of this is obvious, but I'd like a thorough look.

Thanks

Logfile of HijackThis v1.97.3
Scan saved at 2:11:01 PM, on 10/25/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Saga\Super Popup Blocker\popkill.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Network Everywhere\Wireless Notebook Adapter\NWP11Cfg.exe
C:\Program Files\Alset\HelpExpress\osburn\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\osburn\Client\HELPEXP.EXE
C:\Program Files\Alset\HelpExpress\osburn\Client\PrintMonitor.exe
C:\WINNT\emsw.exe
C:\WINNT\system32\wjview.exe
C:\Program Files\couponsandoffers\couponsandoffers.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\UrghOY.exe
C:\WINNT\system32\UutLEKur.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://government.dellnet.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

http://www.searchv.com/w/

O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: HTML Source Editor - {85810C93-C14C-11D5-BC4B-0050BA28E4FE} - C:\WINNT\system32\popkill.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\JximoD.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKCU\..\Run: [Opad] C:\Documents and Settings\Matt Osburn\Application Data\scbr.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\osburn\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\osburn\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless Notebook Adapter Utility.lnk = C:\Program Files\Network Everywhere\Wireless Notebook Adapter\NWP11Cfg.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -

http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5894907407

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://active.macromedia.com/flash2/cabs/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{47049D0D-D088-4477-A305-F319DF3589BA}: Domain = spawar.navy.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{47049D0D-D088-4477-A305-F319DF3589BA}: NameServer = 128.49.16.7,128.49.4.37

 

[tellco]

I'm no expert, but I see some correlations to a variant of Coolwebsearch. The O1-Hosts and R1-HKCU\Software\...\Main,Start Page_bak definitely seem related to this. Is your IE homepage changing to Searchv.com or any page changing to Searchv.com? May want to check out this link:

http://www.spywareinfo.com/~merijn/cwschronicles.html

Your Hijack This information appears to be simular to some of the latest variants of the Coolwebsearch spyware. My suggestion would be to download the Beta 1.3 version of CWShredder.exe and run it. If the program doesn't find anything, it will tell you. If you try this please post back and let me know how it went.

Hope this helps.

 

[bcastner]

Start by removing all these spyware/malware entries:

O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\JximoD.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKCU\..\Run: [Opad] C:\Documents and Settings\Matt Osburn\Application Data\scbr.exe

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\osburn\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\osburn\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINNT\emsw.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

 

[Kocky]

The best way to get rid of all spyware is starting your pc in safe-mode and then running a spyware remover.

 

[noobtechie]

Also, go to

http://www.download.com

and download both Ad-aware and Spybot, great programs to remove spyware. Once those are downloaded download this

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

It's a version of a task manager that informs you where the actual files are and which dll's are using it and what part of the registry they are located. Nice utility if you don't know what program to kill in your task manager.

Hope this helps.