Jump to content


Photo

Please help! Nothing works


  • Please log in to reply
5 replies to this topic

#1 protoss

protoss

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 03:08 PM

I desperately need help.

Problem:

Links to pornographic pages keep appearing in my favourites folder, despite the fact that I keep deleting them.

Also, my homepage has been hijacked.

I have tried

CWShredder
AdAware
Spybot
Hijackthis

Nothing works.

I previously posted my logfile, but I see that I accidentally did it with Hijackthis version 1.97

I have redone it, with the latest version of Hijackthis, version 1.98.

Here is the logfile:


Logfile of HijackThis v1.98.0
Scan saved at 2:07:06 AM, on 1/4/90
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM32\WINMM64.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\MY DOCUMENTS\REMOVING SPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINMM64.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab

I appreciate your efforts.

#2 protoss

protoss

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 06:16 AM

Could someone please have a look at my log file. I am in desperate need of assistance here.

#3 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 06:27 AM

Hi,protoss

Here is what i see in this Logfile but please do not.
fix a thing tell the Pros have a look at it for you

Now these here if you did not add them fix it
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install<--Maybe a Virus

This one is up to you Real Player update
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


you should do this let them know if you find anything

Symantec
TrendMicro
A2 Trojan Scan

Gday :bounce:

#4 protoss

protoss

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 06:55 AM

Hi Rootkit.

I did as you advised, and fixed all of the listed items.

However, whithin about 10 minutes they reappeared, along with the unwanted links in my favourtes folder, and the unwanted home page.

It looks like I have big problems.

How do I get rid of these damn intruders!

I appreciate your help.

#5 protoss

protoss

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 12:34 PM

The Spyware keeps regenerating the following items into my log file.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc

I delete them, but after about 10 minutes they just reappear. And so do the porn links in my favourites folder.

What doI do?

#6 protoss

protoss

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 06:13 PM

Here is my latest log.

Could you please have a look at it and let me know what to remove.

I have tried to remove the R1 and R0 entries, but they just keep reappearing again.

Logfile of HijackThis v1.98.0
Scan saved at 5:16:44 AM, on 1/5/90
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM32\WINMM64.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\MY DOCUMENTS\REMOVING SPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://countere.com/?b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://countere.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://countere.com/?a=2&b=hc
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINMM64.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C2FCEF4E-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI File information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button