HijackFix Log

Question

My girlfriend somehow installed this dropspam program that i can't get rid of (probably among other programs).  I ran spysweeper and ad-aware before hijackthis.  here is my log.    Logfile of HijackThis v1.99.1 Scan saved at 4:11:32 AM, on 9/6/2006 Platform: Windows XP  (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\dslifestyle\dslifestyle.exe C:\Program Files\Common Files\AOL\1150593271\ee\AOLSoftware.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\301\Desktop\qoofix\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1	ools\iesdsg.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1	ools\iesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [nmnqz] C:\WINDOWS
mnqz.exe O4 - HKLM\..\Run: [ofnqulcaap] C:\WINDOWS\System32\bdfufz.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [DropSpam Lifestyle] 'C:\Program Files\dslifestyle\dslifestyle.exe' O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150593271\ee\AOLSoftware.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [SpySweeper] 'C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe' /0 O4 - HKCU\..\Run: [Google Desktop Search] 'C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe' /startup O4 - HKCU\..\Run: [Spyware Doctor] 'C:\Program Files\Spyware Doctor\swdoctor.exe' /Q O4 - HKCU\..\Run: [googletalk] 'C:\Program Files\Google\Google Talk\googletalk.exe' /autostart O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1	ools\iesdpb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v49/bjattack/bjattack.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe' 'WUSB54GC.exe (file missing)

bamajim · Answer

bbower215

Welcome to DCF

Before we begin removing the infection; you are running an unpatched and unprotected version of Windows

First we need to temporarily disable a program so it does not interfere with our fix

To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck " load at windows startup".
Over to the left click " shields" and uncheck all there.
Uncheck " home page shield".
Uncheck ' automaticly restore default without notifiction".

Next Go Here and download and install SP1 (Service pack 1)

Note: Do Not install SP2 until instructed to do so

Reboot your PC ->> Re run Hijackthis and post a fresh Hijackthjis log

thanks bamajim Graduate of Malware Removal University

bbower215 · Answer

spysweeper was a old program i had that does not work anymore so I uninstalled it.  When I run the service pack 1 install it tells me that 'the file c:\windows\system32\drivers\atapi.sys is open or being used by another application.  Close all other applications and click Reply'... i closed everything I could but it still wont let me continue the install.... Any Ideas?

bamajim · Answer

bblower215 How big is your Hardrive? bamajim  Graduate of Malware Removal University

bbower215 · Answer

30 gigs... i know its old but thats what im workin with

bamajim · Answer

bbower215

Normally when you get that error, it's related to Hardrives of over 100gig.

Since you have 30 gig How much space is left on you Hardrive?

To Check go Start->> Rt click MyComputer->>Explore->>Rt click C:\ ->>Properties. we need at least 15% room left.

The only other reason for that error would be a corrupt Windows file. Which would explain why you have been unable to update.

To check that you will need your OS (Operating System Disk) that came with your PC. Do you have it?

thanks bamajim Graduate of Malware Removal University

bbower215 · Answer

i dont have the disk anymore

bamajim · Answer

bblower215 I will help you clean out what I can of the infection. But please understand that your risk of reinfection is great unless you are unable to update. So lets continue with the cleaning First Rerun Hijackthis (scan only) and place checks beside the following entries R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htmR3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)O4 - HKLM\..\Run: [nmnqz] C:\WINDOWS
mnqz.exeO4 - HKLM\..\Run: [ofnqulcaap] C:\WINDOWS\System32\bdfufz.exeO4 - HKLM\..\Run: [DropSpam Lifestyle] 'C:\Program Files\dslifestyle\dslifestyle.exe'O4 - HKCU\..\Run: [SpySweeper] 'C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe' /O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exeO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exeO9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe Close all other open windows except Hijackthis and Select ' Fix checked' If prompted to reboot Select No and close Hijackthis Next using Windows Explorer (Rt click Start->> Explore, and using the tree of folders on the left) Locate and delete the following folders C:\Program Files\dslifestyleC:\Program Files\WebrootC:\Program Files\LimeWireC:\Program Files\PartyPokerC:\Program Files\Bodog Poker Locate and delete the following files C:\WINDOWS\about.htmC:\WINDOWS
mnqz.exeC:\WINDOWS\System32\bdfufz.exe Close Windows Explorer Reboot Your Pc Next Go Here and do a Ewido online scan On the left side of the site window Click 'Scan Now' And post the results of the scan in your reply Finally Rerun Hijackthis and post a fresh Hijackthis log Your reply should include the Ewido online scan results a fresh Hijackthis log thanks bamajim       Graduate of Malware Removal University

Virus & Spyware

Was this post helpful?