• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jadestorm

help!

8 posts in this topic

Hi. I have a problem. There's spyware on my father's computer which changed the startpage and keeps giving 'your computer is infected by spyware' popups.

I ran SpySweeper, Spybot, Asescanner and HijackThis.

SpySweeper, Spybot and Asescanner found 19 spyware items, I fixed them. I also deleted the malware url's out of the HijackThis log file.

Now I still get the same startpage with in the adress bar: about:blank and when I typ in an adress the browser won't go there.

 

Can anyone please help me? I would be very grateful.

I ran FINDnFIX and this is the log:

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [versie 5.1.2600]

Het type bestandssysteem is NTFS.

C: bevat geen fouten.

 

zo 27/06/2004

7:03pm up 0 days, 9:05

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read INGEBOUWD\Gebruikers

(IO) ALLOW Read INGEBOUWD\Gebruikers

(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers

(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access INGEBOUWD\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access MAKER EIGENAAR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read INGEBOUWD\Gebruikers

Read INGEBOUWD\Hoofdgebruikers

Full access INGEBOUWD\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group PC-MICHAEL\Geen.

User is a member of group \Iedereen.

User is a member of group INGEBOUWD\Administrators.

User is a member of group INGEBOUWD\Gebruikers.

User is a member of group \LOKAAL.

User is a member of group NT AUTHORITY\INTERACTIEF.

User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

 

Service search: '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

De opgegeven service is geen ge‹nstalleerde service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

De opgegeven service is geen ge‹nstalleerde service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x PC-MICHAEL\Michael

Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR

Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

 

Owner: PC-MICHAEL\Michael

 

Primary Group: PC-MICHAEL\Geen

 

 

 

»»»»»»Backups created...»»»»»»

7:03pm up 0 days, 9:05

zo 27/06/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-27-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-27-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

 

**File C:\FINDnFIX\WIN.TXT

Øÿÿÿvk € fùAppInit_DLLsÖ?æG ° Ðÿÿÿvk ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 _£ûóðÿÿÿ9 0 Ðÿÿÿvk €' zGDIProcessHandleQuota"þàÿÿÿvk € °ºSpooler2ðÿÿÿy e s ŸûÓœ ° à 0 ` ¨ àÿÿÿvk € =pswapdiskÐÿÿÿvk R¿TransmissionRetryTimeoutàÿÿÿ° à 0 ` ¨ È Ðÿÿÿvk €' USERProcessHandleQuota ¸

Edited by jadestorm

Share this post


Link to post
Share on other sites

Please post your Hijack this log.

Share this post


Link to post
Share on other sites

This is the Hijack this log.

Thanks in advance!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 19:20:53, on 4/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe

C:\Documents and Settings\Michael\Mijn documenten\downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {80EE039A-5F7D-4E0B-910C-5B015B3D1A0B} - C:\WINDOWS\System32\clmc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O13 - DefaultPrefix:

O13 - WWW Prefix:

O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Sha...t//DexiaIIA.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38034.554837963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi!

There've been big problems with my dad's computer. A different startpage, a lot of popups, not being able to go to the adress you type in in the browser,...

 

Now I've been able to fix a few of the problems, it looks like it anyway. My startpage is back to normal and stays that way and the popups are gone BUT when I type in an internet adress in my browser, it won't go there.

 

Can anyone help me please? Thank you:

 

This is the Hijack This logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 18:23:26, on 13/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE

C:\Documents and Settings\Michael\Mijn documenten\downloads\HijackThis.exe

 

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O13 - DefaultPrefix:

O13 - WWW Prefix:

O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Sha...t//DexiaIIA.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38034.554837963

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Share this post


Link to post
Share on other sites

Please keep to one topic, until your problem is resolved.

 

Your posts merged to here.

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O13 - DefaultPrefix:

O13 - WWW Prefix:

 

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

Reboot after fixing.

Share this post


Link to post
Share on other sites

Thank you so much, the problem is fixed now!

 

Thanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanksthanks

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0