Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
53 Posts
Discussion Starter · #1 ·
Every few minutes, I get these Messenger Service pop ups saying that my computer is infested with spyware, etc. How can stop these?

Dell Dimension 2350
Windows XP <2002, version 2/service pack 1>
Pentium 4
256 MB RAM
 

·
Registered
Joined
·
49,014 Posts
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
 

·
Registered
Joined
·
49,014 Posts
Run those others first but

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE
 

·
Registered
Joined
·
296 Posts
Start => control panel => performance and maintenance => administrative tools => services => Stop the messenger service, then disable it.

Note: this does not affect windows or msn messenger.
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #6 ·
Logfile of HijackThis v1.99.0
Scan saved at 7:23:42 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\UraV12X0.exe
C:\WINDOWS\System32\Nyx42g.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe
C:\hijackthis\HijackThis.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 1 for HJT.zip\HijackThis.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #8 ·
Logfile of HijackThis v1.99.0
Scan saved at 7:52:45 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\UraV12X0.exe
C:\WINDOWS\System32\Nyx42g.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\TLuhBi.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oywf2.exe
O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [[email protected]@#W58AF62E] C:\WINDOWS\System32\Preu0YNR.exe
O4 - HKLM\..\Run: [bAVJY5Uw] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Zk0HZ9Ex] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ZYpGSwow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [qsmV3qR] con_qic.exe
O4 - HKLM\..\Run: [d4iJh6Da] C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
O4 - HKLM\..\Run: [1HJ3A] C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
O4 - HKLM\..\Run: [WSKM] C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
O4 - HKLM\..\Run: [ntao.exe] C:\WINDOWS\system32\ntao.exe
O4 - HKLM\..\Run: [QwVGSw1x] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Yw0HUA1w] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ewVGSAow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [bB59Rkd6i] cmuadhlp.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Julie Heimbach\Application Data\eetu.exe
O4 - HKCU\..\Run: [Laas] C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC169A70-A072-4C13-AE81-043A42C0904E}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
Registered
Joined
·
49,014 Posts
Move HiJackThis.exe to a permanent folder like C:\HJT

CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows, Open cwshredder.exe then click "Fix" and let
it run.

Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.

PEPER Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Print this out – boot to safe mode – fix using HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R3 - Default URLSearchHook is missing

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\TLuhBi.dll

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oywf2.exe

O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKLM\..\Run: [[email protected]@#W58AF62E] C:\WINDOWS\System32\Preu0YNR.exe

O4 - HKLM\..\Run: [bAVJY5Uw] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Zk0HZ9Ex] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ZYpGSwow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKLM\..\Run: [qsmV3qR] con_qic.exe

O4 - HKLM\..\Run: [d4iJh6Da] C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe

O4 - HKLM\..\Run: [1HJ3A] C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
O4 - HKLM\..\Run: [WSKM] C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe

O4 - HKLM\..\Run: [ntao.exe] C:\WINDOWS\system32\ntao.exe

O4 - HKLM\..\Run: [QwVGSw1x] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Yw0HUA1w] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ewVGSAow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKCU\..\Run: [bB59Rkd6i] cmuadhlp.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Julie Heimbach\Application Data\eetu.exe

O4 - HKCU\..\Run: [Laas] C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
C:\WINDOWS\system32\ntao.exe
C:\WINDOWS\System32\Preu0YNR.exe
C:\WINDOWS\System32\Oywf2.exe

Delete these folders
C:\PROGRAM FILES\worvwpxu

Temp

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #14 ·
I tried to run Peper Trojan uninstaller, but it would not run all the way through.

When I try to delete C:\Program Files\worvwpxu, I get a message saying Cannot delete cnml.exe....access denied.

Logfile of HijackThis v1.99.0
Scan saved at 9:32:32 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Mc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC169A70-A072-4C13-AE81-043A42C0904E}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
1 - 15 of 15 Posts
Status
Not open for further replies.
Top