donchen Posted October 19, 2004 Share Posted October 19, 2004 Hi! I desperately need help on this. I have a spyware installed on my computer. It is called Internet Assistant 3721. I tried Search & Destroy but could not find it. When i try Ad-Aware Pro, it found it. But if i attempt to remove it, whenever i reboot my computer, it will say that it can't find helper.dll. Below attach is a copy of the HijackThis log file. Logfile of HijackThis v1.97.7 Scan saved at 10:29:27 AM, on 10/19/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\Webroot\Washer\wwDisp.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Samurize\Client.exe C:\Program Files\Rainlendar\Rainlendar.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Maxthon\Maxthon.exe C:\Documents and Settings\dOn\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: FlashGet (HKLM) O9 - Extra 'Tools' menuitem: &FlashGet (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097561834819 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2F9D054-D2B5-4CE8-9BDF-8BF3A81DB7E9} (ProductIDGatherer.WindowsGatherer) - http://download.microsoft.com/download/a/3/7/a377aea1-7b14-4fa1-933c-43e657b37995/ProductIDGatherer.CAB So anyone can give me help on this please ? Link to comment Share on other sites More sharing options...
insanekiwi Posted October 19, 2004 Share Posted October 19, 2004 how about hijackthis, cwshredder? Link to comment Share on other sites More sharing options...
badnewz Posted October 19, 2004 Share Posted October 19, 2004 or http://www.definitivesolutions.com/bhodemon.htm Link to comment Share on other sites More sharing options...
MCT Posted October 19, 2004 Share Posted October 19, 2004 your version of highjackthis is old , current version is 1.98.2 :p make sure u download the latest updates for all programs, current version of ad-aware is: Ad-Aware SE 1.05 update the database too once u have that :) your HJT log looks ok tho :no: probs there maybe adaware is giving a false positive Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 I've used HijackThis to remove it. But after i remove it, whenever i reb00t my computer, it says helper.dll module not found. Link to comment Share on other sites More sharing options...
greg098 Posted October 19, 2004 Share Posted October 19, 2004 delete the registry key thingy in c:/windows/downloaded program files Link to comment Share on other sites More sharing options...
insanekiwi Posted October 19, 2004 Share Posted October 19, 2004 https://www.neowin.net/forum/index.php?show...#entry584765508 Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 Hmn... the program that Hijack my computer is not CoolWebSearch. Therefore when i run CWS, it found nothing.. Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 MCT : This line is the line of spyware isn't it ? O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32 Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 I get this problem when i remove the spyware using Adaware And DHODemon doesn't find the particular spyware as well. Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 CnsMin Object Recognized! Type : Folder Category : Data Miner Comment : Object : c:\program files\3721 CnsMin Object Recognized! Type : File Data : autolive.dll Category : Data Miner Comment : Object : c:\program files\3721\ FileVersion : 1, 0, 2, 6 ProductVersion : 1, 0, 2, 6 ProductName : AutoLive Module FileDescription : AutoLive Module InternalName : AutoLive LegalCopyright : Copyright 2004 OriginalFilename : AutoLive.DLL CnsMin Object Recognized! Type : File Data : autolive.ini Category : Data Miner Comment : Object : c:\program files\3721\ CnsMin Object Recognized! Type : File Data : autolvsw.ini Category : Data Miner Comment : Object : c:\program files\3721\ CnsMin Object Recognized! Type : File Data : cns01.dat Category : Data Miner Comment : Object : c:\program files\3721\ CnsMin Object Recognized! Type : File Data : Helper.dll Category : Data Miner Comment : Object : c:\program files\3721\ FileVersion : 1, 0, 1, 2 ProductVersion : 1, 0, 1, 2 ProductName : Helper Module FileDescription : Helper Module InternalName : Helper LegalCopyright : Copyright 2004 OriginalFilename : Helper.dll CnsMin Object Recognized! Type : File Data : notifier.dll Category : Data Miner Comment : Object : c:\program files\3721\ FileVersion : 1, 0, 0, 4 ProductVersion : 1, 0, 0, 4 ProductName : ComObj Module FileDescription : ComObj Module InternalName : ComObj LegalCopyright : Copyright 2004 OriginalFilename : ComObj.DLL CnsMin Object Recognized! Type : File Data : patch03.dll Category : Data Miner Comment : Object : c:\program files\3721\ CnsMin Object Recognized! Type : File Data : patch05.dll Category : Data Miner Comment : Object : c:\program files\3721\ CnsMin Object Recognized! Type : File Data : patch06.dll Category : Data Miner Comment : Object : c:\program files\3721\ FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : 3721 patch06 CompanyName : 3721 FileDescription : patch06 InternalName : patch06 LegalCopyright : Copyright (C) 2004 3721.com OriginalFilename : patch06.dll CnsMin Object Recognized! Type : File Data : scrblock.dll Category : Data Miner Comment : Object : c:\program files\3721\ FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 2 ProductName : 3721 ScrBlock CompanyName : 3721 FileDescription : ScrBlock InternalName : ScrBlock LegalCopyright : Copyright ? 2004 OriginalFilename : ScrBlock.dll Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 Please ? Anyone ? Link to comment Share on other sites More sharing options...
umteen Posted October 19, 2004 Share Posted October 19, 2004 Ok , no offense to Neowin , but I feel that you should go on to Ad-Aware's forum and post your findings and queries , there. You have to ask permission , before posting logs, but they have a team there to help. Good luck. Also there is I think a forum for HijackThis specifically. Good luck. Edit; I see you are already on Ad-Awares forum. Link to comment Share on other sites More sharing options...
joker999 Posted October 19, 2004 Share Posted October 19, 2004 http://www.mac-net.com/296485.page :whistle: Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 Yeah.. I'm already at their forum. But i don't have much help there.. So i'm just trying out here. Haiz.. hoprefully to get it solve as soon as possible.. Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 Tried that, it doesn't work.. But thanks alot! Anyone else ? Please ? Link to comment Share on other sites More sharing options...
donchen Posted October 19, 2004 Author Share Posted October 19, 2004 No one knows this ? Link to comment Share on other sites More sharing options...
donchen Posted October 20, 2004 Author Share Posted October 20, 2004 No one can help me with this ? Link to comment Share on other sites More sharing options...
Recommended Posts