Jump to content


Photo

Help! Iíve Been Hi-Jacked, Wormed, Trojaned or Vir


  • Please log in to reply
3 replies to this topic

#1 Allen Williams

Allen Williams

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 04 July 2004 - 11:32 AM

Hi Folks,
I hope someone can help. I have been hit by Purity Scan, ISTbar, XXXtoolbar, Superbar, ClickSpring, CoolWWW, Lycos SideSearch, VX2, Enigma Spy, PowerScan, Bargain Buddy, Clear Search, plus others. I have Ad-Aware, Hi-Jack This, Pest Patrol, Cw Shredder, Spy Bot Search and Destroy, Spyware Killer, Kill Box, Bazooka, SpyGuard, Spyware Blaster, SpySweeper, Evidence Eliminator, Nortonís 2003 with Live Update, Registar Lite, RegClean,Web Search and none of these have been able to clean my system. They all say that they have, but all of these things keep coming back every time I re-boot.
I have used HJT many times and have deleted everything that was suspicious, and I have done this with Safe Mode and with System Restore Off. It doesnít make a difference. I have gone through the registry as much as I could and killed anything that had these file names: bhui.exe, iinstall.exe, csrss.exe, rs.exe, arpa.exe, services.exe, svhost.exe. These were all identified in the task manager when these pop-ups happen. I get Windows Error Service saying that my computer has Spyware and when I click okay, it takes me to a dead Clickspring page. If I cancel it, it keeps popping back up. If I kill it in task manager, then Purity Scan Page pops up. Sometimes Purity Scan pops up so fast I can barely keep ahead of it deleting in task manager. When I use Pest Patrol to delete either Purity Scan, or ISTbar, then the Purity Scan page kicks in right on top of it. When I use HiJack This and delete the items that are definitely bad, they just keep coming back. Right now everything is quiet and I can type this letter without being bothered for a while I guess.

This has really got me stumped. I know there must be something I am missing in the registry or in the HiJack This Logs. But Iíll be darned if I can find out what it is. In the registry I donít have a list of the number values to tell me which ones may be bad especially in the root. If they have a name, I can mostly recognize them. I need some really good help on this one. Please donít tell me to buy another program. I have bought enough already and I think this whole mess is targeting them as well too. If this is a Virus, Worm or Trojan of which I think it is then I hope someone can recognize the symptoms I have and can direct me to a tool if there is one. If not, I guess it all has to be done manually. I just donít even want to think about a re-format of C: It is more of a problem getting all the stuff back on the computer and having to deal with Microsoft now cause I have XP Pro-home edition. To re-load or repair, you have to call them and get new product ID numbers now. I donít know if you have to do that on a re-format and install XP. I just would not rather do it, if possible.

So there you have it. Is anyone up to the challenge? Here is my latest HiJack Log after they reinstalled themselves again:

Oh, here is a little more information that I have found out.
I have done all of this in safe mode as well as regular mode. Nothing works. Spyware Sweeper shows me where some of this stuff is located. But I cannot for the life of me find it. Search doesn't find it either. But Spyware Sweeper says its there. The path is C;\ documents and settings\Network Services\Start Menu\Programs\Purity Scan\Purity Scan.Ink. The Problem folder I cannot see is NETWORK SERVICES. I have show all files including hidden and it still does not show up. Also my note pad will not open anymore as well as some saved registry files. When I try to open them, Purity Scan Page pops up. The only reason I am able to send a Hijack log, is that I do it while it is still open after saving it. Once I close it, I cannot reopen it again. I guess this thing is pretty wicked. That Network Services folder is the only one I have not been able to open. Got any ideas? I have already used, like I said, Ad-Aware, Spy Bot S&D and a whole lot of other programs and they just aren't able to get rid of it. And I have been running without System Restore on for over a week now, so that can't be the problem why they keep coming back. (The highlighted ones that I recognize are the ones I have consitantly deleted and they keep coming back!)
Log File from High Jack This:

Logfile of HijackThis v1.97.7
Scan saved at 11:16:30 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\TBPanel.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\services.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\cleaner.exe
C:\Documents and Settings\NetworkService\Application Data\tsuu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\cleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This Zipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IncrediBar - {D8073790-84C7-4602-BF77-C6ACBF1612E4} - C:\Program Files\IncrediBar\bin\IBTBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol PLUS] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\RunServices: [Cleanup] C:\Program Files\Complete Cleanup Trial\compind.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /SCAN
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://*.mt-download.com
O15 - Trusted Zone: http://*.xxxtoolbar.com

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083478691343
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.7367476852
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...swflash5r42.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab

ANY REAL HELP FROM ANYONE WOULD BE SO GREATLY APPRECIATED. EVEN IF IT IS TO DIRECT ME TO ANOTHER SITE FOR A PROGRAM OR HELP. I AM GRASPING AT STRINGS HERE. NOTHING I HAVE TRIED SEEMS TO WORK.
PLEASE FEEL FREE TO E-MAIL ME IF YOU WANT. THANKS AGAIN, FOR ANY ASSISTANCE.
SINCERELY,

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 04 July 2004 - 05:21 PM

Try this. Check that adaware is updated.

Then go to the AdAware website, http://www.lavasoft.de/.
Download the VX2 pligin for AdAware, and run it according to the details given there.

Then post a fresh log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 sarahmartini

sarahmartini

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 July 2004 - 03:13 PM

read this thread for some possible help with your problem. it looks almost like the same problem I had. good luck

http://www.spywarein...ic=9573&hl=bhui

#4 BriosCometfyre

BriosCometfyre

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 09 July 2004 - 11:03 PM

AS far as not being able to find notepad, try doing a search for it, happened to me too and for some reason it got relocated on my computer, for months i thought it was gone so i just didnt use it, today i did a search and it turned up that it ended up in C:\WINDOWS\notepad




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button