TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Nick23 on November 30, 2005, 08:04:38 PM

Title: NEED HELP WITH REMOVING HOOWAH POP-UP
Post by: Nick23 on November 30, 2005, 08:04:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:02:29 PM, on 11/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\System32\nvsvc32.exe
C:\WINDOWS1\exgaawh.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS1\eekgduq.exe
C:\PROGRA~1\COMMON~1\kwok\kwokm.exe
C:\PROGRA~1\COMMON~1\kwok\kwoka.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3352580E-BCEA-C765-E4A1-B459A281F9E9} - C:\WINDOWS1\System32\xdyeug.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS1\system32\zljaxe.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS1\System32\irasewhw.dll
O2 - BHO: (no name) - {96C9CC24-C3F0-AF69-6F31-7A1F148DC81C} - C:\WINDOWS1\hrxvvhab.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS1\System32\msdxm.ocx
O3 - Toolbar: Search - {4D701E52-BC5E-F3DF-6312-2BEDCF5F7110} - C:\WINDOWS1\hrxvvhab.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [strtas] loc1.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eekgduq] C:\WINDOWS1\eekgduq.exe
O4 - HKLM\..\RunServices: [strtas] loc1.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunOnce: [9f9lu.exe] C:\WINDOWS1\System32\9f9lu.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [strtas] loc1.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS1\System32\irasyncd.exe
O4 - HKCU\..\Run: [kwok] C:\PROGRA~1\COMMON~1\kwok\kwokm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.Email (http://\"http://by105fd.bay105.Email\") Removed.msn.com/resources/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFD2E962-3C7D-4028-A3DE-ACD6F5A87C4E}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS1\Tmljaw\command.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS1\exgaawh.exe

Title: NEED HELP WITH REMOVING HOOWAH POP-UP
Post by: guestolo on November 30, 2005, 08:35:25 PM

Can you do the following please

Download and save to your desktop
AimFix.exe (http://\"http://www.jayloden.com/AIMFix.exe\")
Don't run it yet

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Please  save these instructions to a Notepad file and save it to your Desktop for reference
Or Print this out

Access your Add/Remove programs and remove if found
Windows Overlay Components
Don't reboot yet

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {3352580E-BCEA-C765-E4A1-B459A281F9E9} - C:\WINDOWS1\System32\xdyeug.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS1\system32\zljaxe.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS1\System32\irasewhw.dll
O2 - BHO: (no name) - {96C9CC24-C3F0-AF69-6F31-7A1F148DC81C} - C:\WINDOWS1\hrxvvhab.dll (file missing)

O3 - Toolbar: Search - {4D701E52-BC5E-F3DF-6312-2BEDCF5F7110} - C:\WINDOWS1\hrxvvhab.dll (file missing)

O4 - HKLM\..\Run: [strtas] loc1.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe

O4 - HKLM\..\Run: [eekgduq] C:\WINDOWS1\eekgduq.exe
O4 - HKLM\..\RunServices: [strtas] loc1.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunOnce: [9f9lu.exe] C:\WINDOWS1\System32\9f9lu.exe /k

O4 - HKCU\..\Run: [strtas] loc1.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS1\System32\irasyncd.exe
O4 - HKCU\..\Run: [kwok] C:\PROGRA~1\COMMON~1\kwok\kwokm.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS1\Tmljaw\command.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS1\exgaawh.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run AimFix.exe on your desktop, follow the prompts

Reboot your computer into Safe mode
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

In safe mode
Go to START>>RUN>>Type in the open field or copy and paste the below in bold

sc delete cmdService
Then hit OK

Afterwards
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Reboot back to Normal mode

Your way behind on Windows updates
It's important you update to keep secure
For now, can you update to Service Pack 1a, you can update to Service pack 2 after you are clear of all malware
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")

Reboot when prompted

Back in Windows
Post back the following logs
1. Post back a fresh hijackthis log
2. Post back the full report from Ewido's
3. Can you also post the AimFix log on your desktop

NOTE: IF you get any prompts from Microsoft AntiSpyware
ALLOW Them so it won't interfere with any fixes we are trying, this is important!!

Title: NEED HELP WITH REMOVING HOOWAH POP-UP
Post by: guestolo on December 15, 2005, 12:01:53 AM

Since it's been over 2weeks with no reply, I'll lock this topic