Help, Help,,, I can't study for my finals :(

Question

Hello, I am having a huge problems with adware and spyware that neither Norton Internet Security nor spybot have been able to come close to fixing.   The adwares and spywares include IPPlugin, SurfSideKick, ISearch, and Adlogix.  Ads are invading my PC 40 at a time making study or anything else impossible.:smileysad: There are several processes that are the cause of this, or at least it seems that way.  Most notably they are ywvgxy.exe, htiteab.exe, pgmkx.exe, and reihe.exe.  I try to disable ywvgxy.exe in the task manager, but it reappears two seconds later.   the others will not let themselves be cancelled. It says that they are located in the system32 folder and in the registry, but it can't be deleted from the folder and it reappears even after I've cleaned the registry of it.  In safe mode it is not active, but it is not located in the system32 file either, as it is in normal start-up, so it can't be detected or deleted then.  When in normal startup, after I have disabled them in msconfig, they reenable themselves.  Obviously something that is disabled while in safe mode is triggering their creation while in normal startup.  Here is the normal startup Hijackthis log.  Any help would be saving my life.:smileywink: *********************************************** Logfile of HijackThis v1.99.1 Scan saved at 10:01:12 PM, on 5/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32undll32.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbc.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pgmkx.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bctniem.exe O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin
pjpi150_06.dll O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.thearbiter.net O15 - Trusted Zone: http://www.wellsfargo.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\f80o0id3e80.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: htiteab - Unknown owner - C:\WINDOWS\system32\htiteab.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe   Message Edited by BigBlue77 on 05-08-200605:29 AM

RKinner · Answer

Also download and run blacklight
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
check the event viewer to see if there are some services timing out.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackThis.

Run HijackThis and just do a Scan only. Check any of the following that remain then Fix Checked

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pgmkx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bctniem.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\f80o0id3e80.dll

O23 - Service: htiteab - Unknown owner - C:\WINDOWS\system32\htiteab.exe

Reboot and run a new HJT scan. If any of the files come back then:

Download and install unlocker.

http://ccollomb.free.fr/unlocker/

Right click on Start and Explore.
on the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Now look for the Windows folder in the left pane. Click on the + sign in front of it to open the subfolders. In the subfolders find System32 and click on it. Windows will tell you there is nothing you need to see here (Sort of like in the Wizzard of OZ where the wizzard says don't look behind the green curtain) but if you must then click on the link. Click on the link and then look for the file

f80o0id3e80.dll

(Hint to make it easier go up to the toolbar at the top and on the second row on the right is an icon that looks like a small windows with a blue bar and an arrow on the right. When you pass over it it will say Views. Open it by clicking on its arrow and then choose Details. Now things are sorted in alphabet order in a nice easy to read list)

Rightclick on f80o0id3e80.dll and select Unlocker and let it unlock and delete the file for you.

Repeat for any of these that show up in the scan:

pgmkx.exe
bctniem.exe

htiteab.exe

Reboot and make a new HJT log and post it as a reply.

Ron

BigBlue77 · Answer

Thanks for the help.  Unfortunately both of the programs you suggested say that debugging privileges are not set to allow them to work (or because of a malicious program).  Either way, they are not running. I tried using the resource tools install, as the website said, and allow the privilege (sedebugprivilege) and it said it was successfull but the programs will still not run. If it is the settings, how would I set them to allow the programs to run?   BTW, I did a manual single file scan (norton) of those suspiucious files and they were detected as SpyWare.Look2me, adware.qoolaid, and adware.adlogix.  But here's the problem, none of the files or registry entries listed in the removal instructions are located on my computer.  Any thoughts on that? Message Edited by BigBlue77 on 05-09-200605:16 AM

RKinner · Answer

Try Look2Me-Destroyer from:
http://www.atribune.org/content/view/28/

Follow the instructions on the above page.

If look2me-destroyer won't work then try l2mfix as explained here:

"First we need to make sure that a Windows system Service is configured properly because if it is not, the below fix will not work.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Secondary Logon
Look where is says Startup type: and make sure that it indicates it is set to Automatic. If not choose Automatic in the pull down box.
Look where it says Service Status: To the right of this it must say Started If it does not say started, click the Start button. Make sure it changes to Started.
Then click Apply Ok and then close the Services Window.
Download L2MeFix Tool http://www.atribune.org/downloads/l2mfix.exe and save it where you will be able to find it.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.

Quote:
NOTE: While running option #1, if you receive an error mentioning either of the below:
- C:\windows\system32\cmd.exe
- or C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications.

Then choose close to terminate the application. Then run l2mfix.bat again and this time select option 5 or see the fixautont.html link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.

Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message."

I think that should fix the debug priv. and also remove the O20 entry.

Ron

Virus & Spyware

Help, Help,,, I can't study for my finals :(

Was this post helpful?