Friends,

I have read the FAQ and etiquette documents for this forum and believe that I have done almost everything correctly (see below). Before going further, I want to sincerely thank all of you who volunteer in this forum. I volunteer for a number of historical and genealogical research lists and forums and I know and appreciate the amount of time and energy it takes to help users with problems. Thank you very much for your time, energy and generosity. It is much appreciated! :thumbsup:

A friend, who works in a town about 30 miles from here asked me to check out her office machine, which was having major problems. She had been lettting her kids 'play' on the internet with it. I found it to be riddled with spyware and adware objects. I used Ad Aware 6.1.8 (latest reflist - 7/28) to unearth 264 objects and eliminated all of them but Alexa (which I ignore-listed). I then ran SpyBot SD (updated as of 7/29) and found 18 adware/spyware programs, as well as several other suspicious objects, and was able to remove them.

When I cleaned up this mess, I found that she has a hijacker, as well. Searching the web, I found HijackThis, downloaded and ran it. Since I hadn't been to this forum (not having run into this problem before) I didn't write down the URL that keeps appearing, but I think it's 'adware1.com' or something of the sort. She's gone, for a few days, and the only way I can get the URL would be to make a 60-mile round trip to look at her system. Please let me know if this is necessary and I'll do it if need be.

Below is a copy of the HijackThis log file for her system:

---------- Beginning of HijackThis log ----------

Logfile of HijackThis v1.97.7
Scan saved at 7:40:24 PM, on 8/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\WSCRIPT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\AJMYXYL.EXE
C:\WINDOWS\YUGBUOF..EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\LANPROXY.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\LFT7RES.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\TPOFFICE\TOPPRO\TPNETSRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\MY DOCUMENTS\DOWNLOADED FILES & INSTALLERS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.applegatefellowship.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\ajmyxyl.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\yugbuof..exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [pF9U36S] LANPROXY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRAM FILES\SPYWAREKILLA\SPYWAREKILLA.EXE" /s
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37967.69125
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://wvmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab


---------- End of HijackThis log ----------


I noted several items that look suspicious enough:
C:\WINDOWS\AJMYXYL.EXE
C:\WINDOWS\YUGBUOF..EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\LFT7RES.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\ajmyxyl.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\yugbuof..exe
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab

But I don't have enough experience in this area (yet) and didn't want to remove such items as these without the advice of those who do have experience. I don't mean to be presumptuous in listing these items; I'm just trying to be observant and to learn.

Any help I can get would be gratefully appreciated, both by myself and my friend.

Thanks again,

Silmaril

Welcome To Short-Media :)

You have indeed identified some, but not all, of the culprits here. First though, please click the link in my sig to go to our Security Downloads Page, and grab the file LSP-Fix. Put that in the same folder you have HJT in.

Next, reboot in SAFE MODE. Run HJT. FIX:


O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)


O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\ajmyxyl.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\yugbuof..exe

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [pF9U36S] LANPROXY.EXE

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRAM FILES\SPYWAREKILLA\SPYWAREKILLA.EXE" /s

(Note: this app is not a highly recommended anti-spyware tool, and may in fact be spyware itself.)

O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll


O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab

O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab

Next, run LSP Fix and fix any instances of the lspak.dll problem listed.

Stay in SAFE MODE, and manually locate
every single one of those .exe files and .dll files.

Move these to a new folder called :C:\Quarantine. Rename the .dll's to .ddd, and the .exe's to .xxx. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.

Reboot normally, check things out, and let us know. Post a fresh log for further review.


Dexter...

Dexter,

Thanks for your diagnosis. As it happens, I pulled a prize boner and am now in worse trouble than I was before. My friend (and hey; I mean a friend; it's not just me like you see in all those 'Hey, Doc, I have this friend' movie plots) had told me she would be out all week. I had run Ad Aware, SpyBot SD and HiJackThis (in that order) before submitting the log to the list in my original plea for assistance. It was Wednesday before I could get over there to apply your solutions.

When I got there, I sat down, ran HijackThis. I went ahead and fixed the entries you mentioned, then ran the lsp fix tool. Then I restarted. After awhile, I started getting pop-ups again. I re-ran Ad Aware SE and found objects from eZula, Doubleclick and eAccelerate. She (or someone) had to have been there and run the machine since my last visit, allowing it to download more suspicious objects. Of course, I am entirely remiss for not stopping to run Ad Aware and SpyBot when I first sat down at the machine and before doing anything else; I'll not forget to do so from here on out!!

Anyway, I removed the offending items and restarted, but kept getting popups. I decided to bring the system home, for the weekend, and try to work on it at my leisure in a controlled environment.

When I got it home, hooked it up and started it. It started displaying, upon startup, an error: "Spool32 has caused an error in <unknown>. Spool32 will now close." When I click "OK", I then get an error message saying "Explorer has caused an error in <unknown>. Explorer will now close." When I click on "OK", Explorer restarts and I'm back in the same position as I was at the beginning of this paragraph.

I'm sure that the fault is mine, but am unsure where to turn; it's like there are so many errors at this point that I'm not sure where to go from here. I looked up the Spool32 error and could find little help for errors occuring in <unknown>.

I know that this is not territory that is covered in this forum; it's kind of slid off into unauthorized territory, but any suggestions you may have will be gratefully received and carefully considered.

Thanks,

Silmaril

Spool32 is a legitimate Windows ME app, but something else may have affected it. Here is some info on Spool32:

http://support.microsoft.com/default.aspx?kbid=191949

What I recommend is to go back into Hjiack This, and restre all the backed up items you fixed. Reboot, then see if the error goes away. If so, we know that either:

- you fixed something legit by mistake; or

- something you fixed buggered up spool32 on purpose.

After you determine if you still get the error message, see if you can print properly.

Then, run a fresh HJT scan and post the log here for another look.

Dexter...