Jump to content


Photo

Hijacked and lonley


  • Please log in to reply
7 replies to this topic

#1 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 10:42 PM

i have been Hit by a hijacker that Ad-ware describes as placed in C:/windows/sysqi.exe. Spybot doesn't even detect it and CWshredder doesn't find either. it sends pop ups and redirects my home page to res://atwbb.dll/index.html hijack site. The pop ups are perticularliy annoying as they are about malware removale software. "your site is infected...." GRRRRR.
before i knew what was happening i visited the killspy "softwear" site from one of the CWS search pages and downlaoded it. It ran a "scan" and at the end i would have to pay to register the copy to have my spywear removed. i've since removed that program. i've run spybot , ad-aware, and CWshredder a number of times. i've read through the FAQs and even tried to muddle through the forums to see if anyone else had a simliar problem. for time purposes i hope i would be ok to subit my hijackthis log....

Logfile of HijackThis v1.97.7
Scan saved at 5:41:22 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\atwbb.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\atwbb.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\atwbb.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {8C4D260B-1E41-DA14-F55E-71DD630C18DD} - C:\WINDOWS\addpy32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7326.5781597222
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0312.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c.../yiebio4025.cab

Thank you please help.

#2 shanej308

shanej308

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 10:45 PM

hey buddy if no one helps you take a look at my topic that is how i got rid of CWS

#3 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 10:52 PM

ok, ill try it, i cant find Spy sweeper.

#4 shanej308

shanej308

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 10:53 PM

webroot.com

#5 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 10:58 PM

Oh, what i ment was that the download like there won't work. i cant get around it i get an error:

Warning: Link failed (Too many links) in /var/www/html/webroot/php/tryme.php on line 36

Warning: Cannot add header information - headers already sent by (output started at /var/www/html/webroot/php/tryme.php:36) in /var/www/html/webroot/php/tryme.php on line 44

#6 shanej308

shanej308

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 11:00 PM

hmm i dont know about that right there never had that problem maybe someone will help you on here i tried for a while i had to dig thru post to get info you might have to do that same

#7 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 12:39 AM

i've had no success, and didn't want to drop out just yet. I also have teh City of Heroes game. It doesn't work now either. i cannot download spy sweeper either for some reason either.
thank you.

#8 i need the help

i need the help

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 03:01 PM

Can anyone help here?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button