Member Avatar for Mishoboy

Let me cut to the chase. I have a friend who recently got infected with spyware. Usually I am pretty good at fixing such problems but this was challenging. I ran all the Spyware Removal Programs such as Ad-Aware, PestPatrol, TrendMicro Beta etc, but nothing seems to help. I got rid of lots spyware but one thing resisted me. It's a red circular icon with white X in the system tray by the clock. I can't right or left click on it, it doesn't tell me what it is so I don't know how to remove it. Every time you point or click at it, it blows the nastiest porn pop ups and some NEWGENLOOK site. Then after the pop-ups a Error Message #317 comes up asking me to download some antispyware. Can you please help me fix the problem. Thank You In Advance for all your help and time. Here's the HJT Log file.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:00 AM, on 4/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION
UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {E99150C1-F93F-461F-9BA1-E455842AB7A8} - blank
(file
missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
-
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PestPatrol Control Center]
C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program
Files\Adaptec\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program
Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program
Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} -
C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define -
{5DA9DE80-097A-11D4-A92E-006097DBED37}
- C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
-
https://premconf.webex.com/client/v_premconf/webex/ieatgpc.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

  • 4 Contributors
  • 10 Replies
  • 434 Views
  • 4 Years Discussion Span
  • Latest Post Latest Post by crunchie
Member Avatar for dlh6213

Turn off System Restore.

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {E99150C1-F93F-461F-9BA1-E455842AB7A8} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Be sure all windows, other then HijackThis, are closed before hitting 'Fix checked.'

Go to the following locations and delete the highlighted file or folder (be sure your system is set to show 'Hidden files and folders'):

C:\WINDOWS\SYSTEM\SHDOCVW.DLL
C:\WINDOWS\web\related.htm

Do a serach for on your system for the following files and delete them (you may need to boot into Safe Mode to do so):

param32.dll
guninst.exe
popup_bl.dll

Empty your Recycle Bin.

If you still have the problem, get SilentRunners from here:
http://www.silentrunners.org/

Run it, and post the log that it generates.

If the problem is resolved, you can reenable System Restore.

Reboot normally, close any open browser windows, scan with HJT, and post a new log please.

Member Avatar for Mishoboy

I'll be out of town for the next 2 days. I will try your suggestion most likely on Sunday and will post the new HJT log. I just wanted to thank you for the fast reply and suggestion! THANK YOU!

Member Avatar for Mishoboy

Did exactly what you suggested. Couldn't delete:

param32.dll ---->Used By system
C:\WINDOWS\SYSTEM\SHDOCVW.DLL --->Used by System

I need further assistance. I do NOT know how to delete these files when used by Windows, therefore the problem is still present. The red icon with the white X is still in his tray and blowing pop ups.

Here's a Silent Runners Log:
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows Millennium
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0" ["Webroot Software, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"eTrust PestPatrol Active Protection" = ""C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"" ["Computer Associates"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"GoBack Polling Service" = "C:\Program Files\Adaptec\GoBack\GBPoll.exe" ["Adaptec, Inc."]


HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath   = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "GDI+ file thumbnail extractor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\THUMBVW.DLL" [MS]
"{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{53C74826-AB99-4d33-ACA4-3117F51D3788}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ROXIO\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPPLUGINS\IERPPLUG.DLL" ["RealNetworks"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\AUHOOK.DLL" [MS]



Enabled Wallpaper and Active Desktop:
-------------------------------------


Active Desktop is enabled.


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"



WIN.INI & SYSTEM.INI launch points:
-----------------------------------


SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\DAYDAT~1.SCR" [file not found]



WINSTART.BAT contents:
----------------------


@C:\WINDOWS\tmpcpyis.bat [file not found]



Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------


C:\WINDOWS\Start Menu\Programs\StartUp
"MA101 Configuration Utility " -> shortcut to: "C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe" ["ATMEL"]



Enabled Scheduled Tasks:
------------------------


"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE  -c" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6



Toolbars, Explorer Bars, Extensions:
------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]


{2FDEF853-0759-11D4-A92E-006097DBED37}\
"ButtonText" = "Encarta Encyclopedia"
"MenuText" = "Encarta Encyclopedia"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM" [null data]


{5DA9DE80-097A-11D4-A92E-006097DBED37}\
"ButtonText" = "Define"
"MenuText" = "Define"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM" [null data]



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------



HERE IS THE HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 6:24:10 PM, on 4/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://premconf.webex.com/client/v_premconf/webex/ieatgpc.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

Thank you in advance for all your help.

Edited by Nick Evan because: Fixed formatting
Member Avatar for dlh6213

Turn off System Restore

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.

C:\WINDOWS\System32\param32.dll

Reboot afterwards if the file was successfully deleted.

If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot.

Member Avatar for Mishoboy

Killbox worked great. I delted both files with it:
shdocvw.dll and param32.dll
It seems that the problem was param32.dll. Once it got deleted everything woreked fine. I wonder why no spyware program detects that nasty trojan? Anyway.
Your help is greatly appreciated. You saved me from formating my friends HD. If i can ever repay you the favor just let me know. Again, THANK YOU SO VERY MUCH!
Will post new HJT file later today or tomorrow.

Member Avatar for dlh6213

Glad I could help, but the ones who really deserve thanking are the creators of programs such as HijackThis, SilentRunners, and Pocket KillBox; they did all the real work :)

As for why nothing finds this problem yet, it's a fairly new trojan (3-05?); it is known as Trojan.Desktophijack or Joke.Smitfraudoid and is related to HotOffers as well as NEWGENLOOK and Error Message 317. There have been a lot of requests here for help with HotOffers recently. I believe most anti-virus programs will detect it now it -- if they have the latest updates!

Don't forget to turn System Restore back on :)

Member Avatar for Mishoboy

Thank You Thank You Thank YOu!
Here's the New HJT Log File. Everythink works swell now.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:23 PM, on 4/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION
UTILITY\WLANMONITOR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
-
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM
FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program
Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [KB891711]
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program
Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program
Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} -
C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define -
{5DA9DE80-097A-11D4-A92E-006097DBED37}
- C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
-
https://premconf.webex.com/client/v_premconf/webex/ieatgpc.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop

Member Avatar for dlh6213

You're welcome :)

The log looks clean to me now; I'm marking this thread as solved.

Member Avatar for tttim

Looking for an update to the above problem. I too have inadvertently been infected by the White X in the Red Circle, in the system tray adjacent to the clock.

Upon seeing the pop-up problem start, I forced shutdown with power button. And upon reboot Windows boots, but evidently Explorer is messed up in that I do see wallpaper but nothing else, mouse functions but is ignored, keyboard functions but is ignored. Through repeated attempts I'm only able to boot in safe mode to C: prompt. Booting w/networking, or last working config doesn't work. I know the X was there and some new anti-virus program shortcut populated desktop but can't get back to the desktop to run the previous steps to remove, nor can I d/l on that pc to remove anything etc.

Suggestions most appreciated. Or, is it now a lost cause and time to re-format ?

Member Avatar for crunchie

Hi and welcome to the Daniweb forums :).

==========

The update is......................this thread was solved over 4 years ago.
If you are having problems, please start your own thread :).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.