Neighbor has tons of spyware

  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

Hi guys .... sorry to do this but i was helping my neighbor with spyware again i used ad-aware (custom settings), Spybot, SW Shredder, Spyware blaster, bazooka but i still could not get rid of all the spyware. Here is her spyware log. Sorry about this. Thanks a ton

Logfile of HijackThis v1.98.0
Scan saved at 10:30:51 PM, on 25/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\ieoe.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ipqb.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\************\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Heehee, this is going to be fun. I'll append what to fix to this post. It'll be a few minutes...

Okay. I'd boot into safe mode, run hijack this and fix these items:
Code: [ Select ]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  1. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  2. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  3. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  4. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  5. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  6. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  7. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  8. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676


Delete the file wdqwk.dll in system32.

Run hijack this again and post a log. This is a nasty case. Look at this thread: http://www.able2know.com/forums/about30900.html

I'm not sure about ieoe.exe that's listed in the running processes.
Haven't found any info on that. I'll keep looking and in the meantime, we can try to fix the others.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

thanks... i knew you would be on the case jrzycrim... you are spywares worst enemy.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Lol, I'm not really that great. Mostly google searching for this stuff. I do like to kill spyware.

Look at this hijack log: http://www.experts-exchange.com/Operati ... 74446.html

Scroll down past the adverts. That's the worst one I've ever seen.

Anyway, wish I new what ieoe.exe is. Seems suspicious to me as well as this no name bho: O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll

The only thing I found relating to mfcbw32.dll is near the end of this very long web page:
http://spywaredata.com/spyware/bho.php?limit=show_all

No description is given. Apparently the verdict is still out on this one as the status is listed as 'pending'. If we get rid of the other junk and problems still occur, I say kill it. :twisted: Well, maybe not. Probably shouldn't get too carried away...
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

Thanks a ton il go over to her place in the morning and clean all that out and then post the log after its all done. Thanks a lot man.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Turn of system restore before fixing anything. In fact, let me just group all the things to fix in one nice and neat post:

Boot into safe mode.

Launch Task manager and end these processes if they are running:
atlbt32.exe* <-I'm not sure about this one. Better hold off...
ipqb.exe

Fix the following
Code: [ Select ]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R3 - Default URLSearchHook is missing 
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe* <hold off on killing this...
  1. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  2. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  3. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  4. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  5. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  6. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  7. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  8. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
  9. R3 - Default URLSearchHook is missing 
  10. O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
  11. O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe* <hold off on killing this...


Delete these files from system32:
atlbt32.exe* <Not sure, don't delete yet.
ipqb.exe
wdqwk.dll

I'd do a search to see if these exist anywhere else on the computer. Remove any instance of them.

You might find that the file wdqwk.dll has morphed into a different file, if that's the case, then fix all the items associated with res://C:\WINDOWS\system32\????.dll/sp.html#96676

Reboot, run hijack this again and post the log.

Off to bed. We'll see what's what later today.


* Still haven't figured out what atlbt32.exe is.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

All the spyware seems to have returned when i booted up after cleaning them out in safe mode.

Logfile of HijackThis v1.98.0
Scan saved at 2:28:34 PM, on 26/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\ieoe.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ipqb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\************\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I was afraid something like that might happen.

It could be relateded to this:

http://www.trendmicro.com/vinfo/virusen ... J_AGENT.AC

You might try doing a virus scan to see if a specific problem is identified.

Also, try the methods used in this thread at TomCoyote Forums:
http://forums.tomcoyote.org/index.php?showtopic=15162

About atlbt32.exe, open regedit, and navigate to this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Look for a value associated with atlbt32.exe and delete it. If not found there, look in this key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


Sorry, I should have been clearer about atlbt32.exe. I wasn't sure what that was and said in my last post to hold off on deleting that for now. You probably missed that...
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

i didnt delete it. i only took it out of system32. ok im scanning for viruses now using trend micro. Once im done what will i have to do to get rid of the spyware?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Ah. That's good. Leave it out for now and see if you can find that registry value I mentioned.

I'll keep looking around for more info about the main problem;the sp.html related items in case the info on those other sites doesn't prove useful.

Well see what it identifies and go from there.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

i was not able to locate the files associated with atlbt32.exe. i did however see ipqb.exe in the first registry area you told me to look in. I left ipqb.exe alone though.

im goign to try the steps on that link you sent me now.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Go ahead and delete the value for ipqb.exe. I thought hijack this would have removed that.

Did that virus scan turn up anything yet?
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

nothing yet.... but im using an updated norton because trend micro will not work for so some reason. it wont let me install the Active X for it for some reason.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hmm, not sure about the active X problem. That might be disabled in internet properties.

Yeah, try out the procedure at TomCoyote Forums. The hijack this stuff will be slightly different but you know what the ones you have to fix are.

And download the latest version of Hijack This if you haven't already...
https://ssl.perfora.net/tools.radiospla ... ckThis.exe
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

thanks, im just gunna finish up on the virus scan then reboot into safe mode and follow the instructions. Thanks man.

oh one other thing should i continue to leave atlbt32.exe alone?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

No problem. This benefits me as well. This is a tricky one for sure. Good luck with it and please feel free to ask for more help.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

oh one other thing should i continue to leave atlbt32.exe alone?

after all this is done i should realy get them firefox because her kids are into everything.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I didn't notice where it was mentioned that you disabled system restore? If you don't it could explain why some things keep coming right back at you.

For Jim, the only clue I could find about ieoe.exe was this pdf:
http://www.cit.gu.edu.au/~noran/Docs/HEA-Page89.pdf

Looks like some type of runtime environment. Might be something with SP2. (My first thought was Internet ExplorerOutlookExpress)
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

For now. I'd hate to get rid of it not knowing what it is. Put back in the system32 directory and maybe we'll be able to find something out about it later.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

ok. Yeah system restore has been off on this computer for months.

after this i gotta sort out her performance issues too. Dang this is gunna take a while.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

JrzyCrim wrote:
Turn of system restore before fixing anything. ....


It's in there :) doesn't hurt to mention it though. Things were getting a bit disjointed in this thread; my fault- I compiled all the repair procedures in a later post including the bit about system restore. Not surprised you missed it.

ATNO/TW wrote:
For Jim, the only clue I could find about ieoe.exe was this pdf:
http://www.cit.gu.edu.au/~noran/Docs/HEA-Page89.pdf

Looks like some type of runtime environment. Might be something with SP2. (My first thought was Internet ExplorerOutlookExpress)


Thanks for that. That's what I thought but I also considered that it might be something masquerading under the guise of something familiar.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Check this log and fix:

http://www.d-a-l.com/help/archive/index.php/t-1023.html

This guy had ieoe.exe and was instructed to remove it with no apparent adverse results. Besides, it's a runonce item and after it's run, it's not needed any longer.

He did solve it (next to last post). I've never heard of about:buster, but apparently another hijack fix program that might be worth looking into.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

hmmm norton didnt pick up anything (what a waste of 50+ minutes) oh well im gunna reboot now and try and rid this demon spawn. Wish me luck. before i do what do you advise i do about ieoe.exe?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Remove it. I've found a couple of other threads where the user was told to remove ieoe.exe.

I did a search on my system for that file and it's not present so I'm guessing it's safe to remove.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

i dont know why but for some strange reason the computer will not let me boot in safe mode or enter the bios for some reason. ive tryed about 10 times. Safe mode worked before when i press F8 during startup but now it is not working. any idea why? Do i 100% need to enter safe mode to remove the spyware?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

hmm, I don't know what to think about this new problem. It won't hurt to try it in normal mode. I'll see if I can turn up anything about your safe mode problem. You might try a cold boot. Is the keyboard usb?
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

i booted it in diagnostic mode ... its pritty much the same as safe mode but without the low res and hardware stuff.

right now im back home eating, i cleaned it all out with hijack this. Its scanning with ad-adware at the moment and then im gunna scan with spybot. then il clean the internet cache and throw it back into normal mode and hopefully the spyware will be gone... il post the log when its all done ... thanks for the help so far.
  • beings
  • Expert
  • Expert
  • User avatar
  • Posts: 539
  • Loc: Canada

Post 3+ Months Ago

ok i cleaned out everything that i needed to but i found 2 files with ad-adware and i went to look at hi-jack this again and i found this suspisious file. i am still in diagnostic mode at her house. this is the hijack this file i took while in diagnostic mode.... im hoping to get all the nasties in one go this time. Thanks for the help.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O19 - User stylesheet: (file missing)




this file looks suspicious to me, what do you think? \/ \/
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Fix these two.

O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O19 - User stylesheet: (file missing)

It sure does look much cleaner now.

I'd recommend installing spywareblaster.
http://www.javacoolsoftware.com/spywareblaster.html
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I checked the status of this with spywaredata.com:
spywaredata.com

It looks like this is still pending. Make a backup of it to floppy and "fix" it and see what happens. The backup will let you restore it if it's necessary, but I seriously doubt it.

(That link is Google's cached version of the page, btw -- it's the only way I could see it without going through all the links.)
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 41 posts
  • Users browsing this forum: No registered users and 34 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.