Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Computer loaded with spyware/adware

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Computer loaded with spyware/adware

Reply to Message Icon

Name: Jme
Date: January 6, 2004 at 09:06:16 Pacific
OS: 98se
CPU/Ram: Intel P III 352MB
Comment:

Got LOTS of crap on this computer.

Need help getting rid of it.

Ran SpyBot....AdAware....and CWShredder.

(Need some good advice on getting rid of GROKSTER and SearchAlot.)

Here is the resulting HT report.

Logfile of HijackThis v1.97.7
Scan saved at 10:41:51 AM, on 1/6/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\RUNDLL32.exe
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.exe
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.exe
C:\PROGRAMS DOWNLOADED BY JAYME\HIJACKTHIS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.tconl.com"); (C:\Program Files\Netscape\Users\rschmidt\prefs.js)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\SYSTEM\EMESX.DLL
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\SYSTEM\STLBUPDT.DLL
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM\cpr.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\SYSTEM\STLBUPDT.DLL
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.exe" /autocheck
O4 - Startup: D-Link AirPlus Utility.lnk = C:\Program Files\D-Link AirPlus\AIRPLUS.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: Grokster Support - file://C:\Program Files\GroksterSupport\System\Temp\grokstershop_script0.htm
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .aif: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37951.6103356481
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net




Sponsored Link
Ads by Google

Response Number 1
Name: haroonkhalid
Date: January 6, 2004 at 09:40:16 Pacific
Reply:

ok so why dont u tell spybot to remove it?

go here: http://www.pestpatrol.com/PestInfo/G/Grokster.asp

and
here is the removal tool http://www.searchalot.com/remove.exe


0

Response Number 2
Name: Jme
Date: January 6, 2004 at 11:53:44 Pacific
Reply:

I did tell SpyBot to FIX ALL SELECTED ITEMS.

But, these came right back on ReSTART.


0

Response Number 3
Name: haroonkhalid
Date: January 6, 2004 at 12:46:00 Pacific
Reply:

click immunize on spybot so they dont come back and patch and update your system


0

Response Number 4
Name: Abnormal
Date: January 6, 2004 at 12:47:35 Pacific
Reply:

Fix these and reboot.

R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\SYSTEM\EMESX.DLL
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\SYSTEM\STLBUPDT.DLL
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM\cpr.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\SYSTEM\STLBUPDT.DLL
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
O8 - Extra context menu item: Grokster Support - file://C:\Program Files\GroksterSupport\System\Temp\grokstershop_script0.htm
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab

Good luck



abnormal



0

Response Number 5
Name: Jme
Date: January 6, 2004 at 20:04:11 Pacific
Reply:

Thanks Abnormal...

That's what I was looking for.

I was already prepared to check all of the boxes that you mentioned...with the exception of two. Just wanted to make sure I was doing the right thing, and that I didn't miss any.

BTW....what is wrong with THESE two items?:

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer


0

Related Posts

See More



Response Number 6
Name: Abnormal
Date: January 6, 2004 at 20:41:20 Pacific
Reply:

Jme, it's browser-aid;
http://www.doxdesk.com/parasite/BrowserAid.html



0

Response Number 7
Name: Jme
Date: January 7, 2004 at 06:57:37 Pacific
Reply:

Thanks, again....Abnormal.

The information on that link was VERY interesting. I am still confused when I see rundll.32 commands in my HT reports. Don't know how to tell if I NEED them...or not.

I THOUGHT that the lines looked odd.

I would also be interested in knowing how to identify the OWNER of the CLASS ID numbers that we see in the HT reports all of the time.


0

Response Number 8
Name: Abnormal
Date: January 7, 2004 at 11:28:05 Pacific
Reply:

Here you go;
http://www.sysinfo.org/



0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Computer loaded with spyware/adware
Spyware Adware problem www.computing.net/answers/security/spyware-adware-problem/15732.html

Loads of spyware www.computing.net/answers/security/loads-of-spyware/16524.html

Spyware/adware remover Help! www.computing.net/answers/security/spywareadware-remover-help/11899.html