Neighbor has tons of spyware

August 25th, 2004, 10:47 pm

Hi guys .... sorry to do this but i was helping my neighbor with spyware again i used ad-aware (custom settings), Spybot, SW Shredder, Spyware blaster, bazooka but i still could not get rid of all the spyware. Here is her spyware log. Sorry about this. Thanks a ton

Logfile of HijackThis v1.98.0
Scan saved at 10:30:51 PM, on 25/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\ieoe.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ipqb.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\************\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

August 25th, 2004, 11:07 pm

Heehee, this is going to be fun. I'll append what to fix to this post. It'll be a few minutes...

Okay. I'd boot into safe mode, run hijack this and fix these items:

Code: [ Download ] [ Select ]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676

1. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
2. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
3. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
4. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
5. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
6. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
7. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
8. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676

Delete the file wdqwk.dll in system32.

Run hijack this again and post a log. This is a nasty case. Look at this thread: http://www.able2know.com/forums/about30900.html

I'm not sure about ieoe.exe that's listed in the running processes.
Haven't found any info on that. I'll keep looking and in the meantime, we can try to fix the others.

August 25th, 2004, 11:15 pm

thanks... i knew you would be on the case jrzycrim... you are spywares worst enemy.

August 25th, 2004, 11:54 pm

Lol, I'm not really that great. Mostly google searching for this stuff. I do like to kill spyware.

Look at this hijack log: http://www.experts-exchange.com/Operati ... 74446.html

Scroll down past the adverts. That's the worst one I've ever seen.

Anyway, wish I new what ieoe.exe is. Seems suspicious to me as well as this no name bho: O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll

The only thing I found relating to mfcbw32.dll is near the end of this very long web page:
http://spywaredata.com/spyware/bho.php?limit=show_all

No description is given. Apparently the verdict is still out on this one as the status is listed as 'pending'. If we get rid of the other junk and problems still occur, I say kill it. Well, maybe not. Probably shouldn't get too carried away...

August 26th, 2004, 12:22 am

Thanks a ton il go over to her place in the morning and clean all that out and then post the log after its all done. Thanks a lot man.

August 26th, 2004, 12:40 am

Turn of system restore before fixing anything. In fact, let me just group all the things to fix in one nice and neat post:

Boot into safe mode.

Launch Task manager and end these processes if they are running:
atlbt32.exe* <-I'm not sure about this one. Better hold off...
ipqb.exe

Fix the following

Code: [ Download ] [ Select ]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R3 - Default URLSearchHook is missing 
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe* <hold off on killing this...

1. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
2. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
3. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
4. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
5. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
6. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
7. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
8. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
9. R3 - Default URLSearchHook is missing 
10. O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
11. O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\system32\atlbt32.exe* <hold off on killing this...

Delete these files from system32:
atlbt32.exe* <Not sure, don't delete yet.
ipqb.exe
wdqwk.dll

I'd do a search to see if these exist anywhere else on the computer. Remove any instance of them.

You might find that the file wdqwk.dll has morphed into a different file, if that's the case, then fix all the items associated with res://C:\WINDOWS\system32\????.dll/sp.html#96676

Reboot, run hijack this again and post the log.

Off to bed. We'll see what's what later today.


* Still haven't figured out what atlbt32.exe is.

August 26th, 2004, 2:30 pm

All the spyware seems to have returned when i booted up after cleaning them out in safe mode.

Logfile of HijackThis v1.98.0
Scan saved at 2:28:34 PM, on 26/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\ieoe.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ipqb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\************\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdqwk.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB850A67-681C-36D5-5229-28172E2E04B1} - C:\WINDOWS\system32\mfcbw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ipqb.exe] C:\WINDOWS\system32\ipqb.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

August 26th, 2004, 2:48 pm

I was afraid something like that might happen.

It could be relateded to this:

http://www.trendmicro.com/vinfo/virusen ... J_AGENT.AC

You might try doing a virus scan to see if a specific problem is identified.

Also, try the methods used in this thread at TomCoyote Forums:
http://forums.tomcoyote.org/index.php?showtopic=15162

About atlbt32.exe, open regedit, and navigate to this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Look for a value associated with atlbt32.exe and delete it. If not found there, look in this key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


Sorry, I should have been clearer about atlbt32.exe. I wasn't sure what that was and said in my last post to hold off on deleting that for now. You probably missed that...

August 26th, 2004, 2:57 pm

i didnt delete it. i only took it out of system32. ok im scanning for viruses now using trend micro. Once im done what will i have to do to get rid of the spyware?

August 26th, 2004, 3:02 pm

Ah. That's good. Leave it out for now and see if you can find that registry value I mentioned.

I'll keep looking around for more info about the main problem;the sp.html related items in case the info on those other sites doesn't prove useful.

Well see what it identifies and go from there.

August 26th, 2004, 3:11 pm

i was not able to locate the files associated with atlbt32.exe. i did however see ipqb.exe in the first registry area you told me to look in. I left ipqb.exe alone though.

im goign to try the steps on that link you sent me now.

August 26th, 2004, 3:13 pm

Go ahead and delete the value for ipqb.exe. I thought hijack this would have removed that.

Did that virus scan turn up anything yet?

August 26th, 2004, 3:14 pm

nothing yet.... but im using an updated norton because trend micro will not work for so some reason. it wont let me install the Active X for it for some reason.

August 26th, 2004, 3:19 pm

Hmm, not sure about the active X problem. That might be disabled in internet properties.

Yeah, try out the procedure at TomCoyote Forums. The hijack this stuff will be slightly different but you know what the ones you have to fix are.

And download the latest version of Hijack This if you haven't already...
https://ssl.perfora.net/tools.radiospla ... ckThis.exe

August 26th, 2004, 3:27 pm

thanks, im just gunna finish up on the virus scan then reboot into safe mode and follow the instructions. Thanks man.

oh one other thing should i continue to leave atlbt32.exe alone?