Need some assistance fixing spyware

[Skiz]

I'm generally a pretty resourceful guy and don't need help with this type of thing, but this one has me stumped. It all started when I went to a crack site yesterday and downloaded a patch that evidently contained a virus and a bunch of spyware. When I download the file from the site, NAV informed me that it was infected and contained. I stopped what I was doing and did a full system scan with NAV which turned up the virus and deleted it. Here are the problems I'm having since then:

1. I restarted my pc and the last thing to load was a Windows box that was asking me to either 'run', 'open', or 'cancel' an application called 'M-Soft Office.hta' (nothing to do with Microsoft Office btw).

2. Zone Alarm Pro continues to ask me if want to grant 'ViewMgr.exe' internet access. (I've never downloaded or used this program. I assume it came with the rest of the spyware.)

3. IE opens to this (http://bestfind4u.com/index.htm) instead of my prefered homepage.

4. When I shut-down my pc, a program called 'Win-Min' shows as not responding.

I've run Ad-Aware SE and I ran HiJackThis after reading this post by a guy with the same problem and tried everything contained in it, but I'm still having the above problems. I will post my up-to-date HiJackThis log below.

ANY HELP IS MUCH APPRECIATED.
-------------------------------------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 306 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DVD Decrypter\DVDDecrypter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Useful Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [iptjfpm] c:\windows\yqyyfkm.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[tesco]

I don't see anything wrong in the hijackthis! log.
just remove any strange entries that may be in msocnfig.

Then run an antispyware scanner like spysweeper or something.


viewmgr.exe is part of viewpoint media player. It keeps it up to date with the latest version. you can disable taht in msocnfig as well.

[Joakim Agren]

Hello!

First of all a scan with only Ad-Aware and your antivirus program is not enough. You need 3 softwares to find and delete almost all spywares. Ad-Aware should be your first scan and delete anything it finds ofcourse you should be using its latest definitions. Then you should use SpyBot Search & Destroy with latest definitions and delete anything it finds. Then you need SpySweeper(not free but ofcourse you can get it+serial on for instance ED2K maybe there is even a verified for it at this forum. Scan with it using latest definitions and delete anything it finds. Then run HJT again and if you find the following entries delete them:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

They are nasty the following is probably nasty and I would delete them to:

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

Do you rekognize that proxy? if not delete it!!

This one I dont rekognize and cant find any info on either so if you dont know either what they are you should delete it:

O4 - HKCU\..\Run: [iptjfpm] c:\windows\yqyyfkm.exe

[orcutt989]

ViewMGR.exe is not spyware. It is just a program that comes with Windows or something like that. Not malicious. Do what all of these people have told you to do with the registry. And when you are done with that.


1. Boot into safe mode.

2. Run every anti-spyware/anti-adaware program you've got. (Preferably 2-4) And run antivirus. Delete whatever it tells you to delete. And restart normally.

[Chewie]

Select these and hit the Fix Checked button...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKCU\..\Run: [iptjfpm] c:\windows\yqyyfkm.exe
all the 016 entries (if you need them you can re-download them)

Joakim
There is no need to remove MS Office's "Research" toolbar button since it is harmless and can be removed quite easily by customising IE's toolbar. It's not going to have any detrimental effect and consumes less resources than the installed Google bar.
Also, I recognise the proxy... it's the IP address of localhost.

[Skiz]

@ROSSCO - Yeah, the hijackthis log I posted was an up-to-date one. I had already "fixed" the things I knew didn't belong.

@Joakim - I removed all the items that you listed and rebooted; all seems well.

@orcutt989 and Chewie UK - Thanks also!

It seems that everything is working smooth and is back to normal. I have noticed however that 'yqyyfkm.exe' is still listed among the programs in msconfig. How can I get rid of that? It's no longer listed under C:\Windows\yqyyfkm.exe.

[digmen1]

Just delete that file C:\Windows\yqyyfkm.exe. and then run msconfig and click the cleanup button.

Regards

Digby

[orcutt989]

@ROSSCO - Yeah, the hijackthis log I posted was an up-to-date one. I had already "fixed" the things I knew didn't belong.

@Joakim - I removed all the items that you listed and rebooted; all seems well.

@orcutt989 and Chewie UK - Thanks also!

It seems that everything is working smooth and is back to normal. I have noticed however that 'yqyyfkm.exe' is still listed among the programs in msconfig. How can I get rid of that? It's no longer listed under C:\Windows\yqyyfkm.exe.

You can do what Digmen1 said, and then get a software that allows you to delete MSCONFIG entries, and delete that weird file from the startup tab, restart and everything should be alright.

[Skiz]

I deleted the file yesterday.

I don't a 'cleanup' button in msconfig.

[Chewie]

I deleted the file yesterday.

I don't a 'cleanup' button in msconfig.

Run regedit.exe and delete the entry from:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

EDIT: that should say CurrentVersion but for some reason the board is adding a space in there.