Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
54 Posts
Discussion Starter · #1 ·
I've spent the last 24 hours trying to get rid of the spyware dumped on my computer from ezboard ads. I have a 300 Mhz Cyrix processor, AOL 7, Windows 95. Google is my home page, but it was giving me fake google pages and it kept trying to execute a program when I visited various sites, especially this one. I think I've gotten rid of most of it, but I am still getting an alternate "Microsoft Explorer" pop up when I start IE. Here is my latest 'Hijack This' log:

Logfile of HijackThis v1.97.7
Scan saved at 7:34:01 PM, on 3/21/04
Platform: Windows 95 C (Win9x 4.00.1111)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE
C:\PROGRAM FILES\AOL 7.0B\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\AOL 7.0B\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\WINHLP32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\dh2pkvvv.slt\prefs.js)
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE0.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SystemTasks] C:\dk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE
O4 - HKLM\..\Run: [PFDDAXH] C:\WINDOWS\PFDDAXH.exe
O4 - HKLM\..\Run: [VFWQUNU] C:\WINDOWS\VFWQUNU.exe
O4 - HKLM\..\Run: [CQA] C:\WINDOWS\CQA.exe
O4 - HKLM\..\Run: [JMQTKKBHL] C:\WINDOWS\JMQTKKBHL.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab
 

·
Registered
Joined
·
826 Posts
The following programs might freeze/crash due to you running a win95 platform, but give a shot at it:

  1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
  2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R273 21.03.2004 (or higher number/date). If it does not, then click here and install the file manually.
  3. Make sure the following settings are turned to ON
    -From the main window click on Start then Activate in-depth scan.
    -Click on Use custom scanning options>Customize and make sure the following options are turned on:
    Scan within archives
    Scan active processes
    Scan registry
    Scan my IE Favorites for banned URL
    Scan my host-files
  4. Click on Settings and make sure the following are enabled:
    Unload recognized processes during scanning
  5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
  6. Finally Click Proceed to save your settings.
  7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
  8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.
    [/list=1]

    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems
      [/list=1]

      If it does crash/freeze then perform the following instead.

      Goto Add/Remove Programs and uninstall any of the following that you have listed:
      Download Receiver
      Stop Sign
      Webcelerator


      Delete the following folders:
      C:\PROGRA~1\COMMON~1\EACCEL~1
      (I cant make out the Directory, but it should be C:\Program Files\Common Files\eAcceleration)

      Next..

      Remove the following files from HJT by placing checks by them and then clicking on fix.

      O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE0.DLL

      O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

      O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup

      O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

      O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE

      O4 - HKLM\..\Run: [JMQTKKBHL] C:\WINDOWS\JMQTKKBHL.exe


      Note: To view these files, you will most likely need to have view hidden/system files enabled. Click Here for Instructions on how to get do so

      Delete these files:
      *C:\WINDOWS\BXXS5.DLL
      *C:\PROGRAM FILES\N-CASE\MSBB.EXE
      *C:\WINDOWS\PFDDAXH.exe
      *C:\WINDOWS\VFWQUNU.exe
      *C:\WINDOWS\JMQTKKBHL.exe

      Reboot

      Delete these folders:
      C:\PROGRAM FILES\N-CASE

      If the deletion of any of these files/folders give an "access denied" or any such error, then reboot to safe mode (Click here for instructions on how to get to safe mode) and attemp to delete the files/folders.

      It also seems that you are using acceleration software for an antivirus program - I would recommend getting another AV program. A good free one is AVG - http://www.grisoft.com/us/us_dwnl_free.php. If you are in need of fully removing accel. software after you uninstall it, then feel free to ask someone here (it will leave nasty spyware behind even after uninstall).

      No Clue what these entries are - may be someone else can be more insightful.

      O4 - HKLM\..\Run: [SystemTasks] C:\dk.exe
      O4 - HKLM\..\Run: [CQA] C:\WINDOWS\CQA.exe <<compaq related?

      PS: I wrote this all in one go, forgive any typo's/grammar problems (plus its getting late)

      Post another log when done with all of the above
 

·
Registered
Joined
·
46,353 Posts
Originally posted by Nok1:
Flrman, you get your hands on this post yet?
Yep! ;)

This one needs to be fixed too:

O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k

Also Go here

Scroll to the bottom of the page and look for the Submit file section.

Click on Browse

Navigate to the C:\WINDOWS folder and upload the .... CQA.exe .... file and let us know what you find.

Do the same with C:\dk.exe

Any executable sitting all by it's lonesome in C: is suspect.
 

·
Registered
Joined
·
54 Posts
Discussion Starter · #7 ·
Deleting those lines from my hijack log seems to have done the trick. I know there was something suspicious about the CQA.exe file because I had written it down on my list of entries that had been flagged. When I searched for it using 'Find files' I found it in the SpyBot Search and Destroy files and in the recycle bin. I haven't had the chance to locate it through the 'browse files' option at the virus scanner yet because the files are named differently when I look through there.
Thanks for your help. :up: :)
 

·
Registered
Joined
·
46,353 Posts
Did you set your folder options to show hidden files before looking for them?
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top