• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Alissa

I've been hijacked...is it a worm?

16 posts in this topic

Hi,

 

The day after I got my PC Norton Antivirus detected two worms...W32.Spybot.Worm and a W32.HLLW.Gaobot.gen worm. It eventually removed them and I hoped I wouldn't have to clean up the registry.

 

In the meantime, I have a nasty browser hijacker program. I've run Adaware, Spybot S&D. and SpySweeper and various nasties were removed. I ran HijackThis since I still had the problem. I read your postings about how to remove spyware and hijackers, and have done all those things with no luck. My hijackthis log looks okay as far as I have been able to see....

 

So, my question is, is my problem due to those two worms, and if so, will it be resolved if I disable system restore and scan the registry? I'm not sure what to look for when I do.

 

Here is a copy of my hijackthis log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:53:02 AM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ImageIt\ItRun.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\taskmngrs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [WinIt] C:\Program Files\ImageIt\ItRun.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2DA5CF4-1B08-4B47-8048-9C87C7425CE7}: NameServer = 209.193.4.7 209.193.4.8

 

thanks so much for your help!

 

Alissa

Share this post


Link to post
Share on other sites

It doesnt look like anything nasty in your logfile, other than your homepage being down :-p. Anyway id suggest doing an online scan which is updated more frequently.

 

Housecall

Share this post


Link to post
Share on other sites

CWShredder will not get rid of the hijacks... Please wait for qualified help....

Share this post


Link to post
Share on other sites
...

 

Running processes:

C:\WINDOWS\System32\taskmngrs.exe

 

...

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com

...

O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe

...

O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe

...

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2DA5CF4-1B08-4B47-8048-9C87C7425CE7}: NameServer = 209.193.4.7 209.193.4.8

It doesnt look like anything nasty in your logfile, other than your homepage being down :-p. Anyway id suggest doing an online scan which is updated more frequently.

 

C:\WINDOWS\System32\taskmngrs.exe

Well, obviously this is supposed to be there because the startup name for it is "Windows Update Machine," right? I think not.

 

As for the name servers entry, it appears that they are being hardcoded into your network connection. The IP addresses given (209.193.4.7, 209.193.4.8) map out to ns1.acsalaska.net and ns2.acsalaska.net. If you're using ACS for internet access, that's fine, but I would have thought DHCP would have covered that for them.

 

And, yes, the homepage is down, but it appears to be a legitimate site from the WHOIS query, assuming you visit Canadian websites often.

Share this post


Link to post
Share on other sites
CWShredder will not get rid of the hijacks... Please wait for qualified help....

Interesting, since a quick google search provides the following product description:

 

PRODUCT DESCRIPTION

 

A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names).

 

Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.

 

More information on the CWS hijacker, including recent variants of it, can be found here.

 

This tool will find and destroy all traces of the CoolWebSearch (CWS) hijacker on your system.

 

Maybe try researching the application a bit before posting blatantly false information?

Share this post


Link to post
Share on other sites

sardak,

 

You clearly believe that you know more than you do... CWShredder is a wonderful tool if the log has CWS in it.. This one does not... It does have other malware that needs attention which is why I asked Alissa to wait for qualified help...

 

If you want to learn how to deal with malware I suggest you join Boot Camp and get some training in it rather than going around making statements that are provocative, but inaccurate...

 

And Alissa I still suggest you wait for qualified help...

Share this post


Link to post
Share on other sites
sardak, CWShredder was written and is maintained by one of our own Developers, so we know exactly what it does and doesn't do. Please stay out of the helping threads. If you want to help here, then sign up for training: http://www.spywareinfoforum.com/index.php?showtopic=34

Sorry, but I don't need any training. I've got about 16 years of computer experience under my belt, including software development, hardware repair, network administration and just about any other related field.

 

Also, I'm well aware of the origin of CWShredder, and it's my fault for misunderstanding the context to which I replied. Upon originally reading through, it sounded as though the person was saying that CWShredder would be effective, but would not remove "the" hijack.

 

It's obvious that there is quite a rigid policy as far as providing the same redundant answers and methods regardless of situation, and you don't take kindly to those who think outside of your box. I can understand the desire to make sure accurate, useful, and most of all, non-malicious suggestions and solutions are provided, but you might try actually considering the validity of someone's suggestion before simply shooting it down with your blanket statement of "join boot camp."

 

I do this for 10 hours a day professionally and get paid for it, I just happened to stumble on the site and decided to offer my recommendations, but if they're not welcome, that's fine; I have better things to do with my time.

 

I will admit that some of my comments may have been misconstrued as derogative towards your administrative staff. I meant no offense to the person(s) involved, as it was mainly aimed at your policy than any particular individual.

Share this post


Link to post
Share on other sites

Your help will be more than welcome once you join the helper program. Anyone with strong knowledge and skills will quickly rise to Helper or higher. In the meantime we prefer that you do not intervene in the helping threads.

Share this post


Link to post
Share on other sites

At the risk of spamming this thread any more (my apologies to the author of this thread):

 

I don't recall anything in your usage policy that says someone who has a valid answer can't offer it.

We generally don't mind if a member offers valid help, but fixing that O17 would've broken the poster's connection. And CNM is qualified to judge you (on this particular forum/board) because she is an admin, and you don't screw with the admins.

Share this post


Link to post
Share on other sites

Alissa, I am sorry that your post should have been interrupted for that!

 

If you are still watching this post, then there are a couple of things in your original log that need to be fixed.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe

Reboot, and delete the file taskmngrs.exe.

 

Please post a fresh Hijack this log, and say if your problems persist

 

.

Share this post


Link to post
Share on other sites

Boys, I appreciate all the attention...

 

When I reopened Hijack this and made a new log, taskmngrs.exe had vanished. ?!?! In a search, I found taskmngrs.exe-OF776703.pf in C:\windows\prefetch and the file C:\windows\system32\taskmngrs. I have not been hijacked yet today, but my husband was last night and I've no reason to think that anything's changed.

 

Here is the new log:

Logfile of HijackThis v1.98.0

Scan saved at 10:49:22 PM, on 7/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ImageIt\ItRun.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\lsasse.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [WinIt] C:\Program Files\ImageIt\ItRun.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

O4 - HKLM\..\Run: [Microsoft Update Machine] lsasse.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] lsasse.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [Microsoft Update Machine] lsasse.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

 

 

BTW, my fault on the previous <downloadthis.com> website. And ACS is my ISP service provider. Also, I did do the updates...oops.

 

So...what now? And can someone answer my question about the relationship between a worm and a trojan?

 

thanks again! ;) Alissa

Share this post


Link to post
Share on other sites

The hijacking problem is back again today, but still no sign of taskmngrs.exe in my log (same as above).

 

Can someone please help?

 

thank you, Alissa

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Microsoft Update Machine] lsasse.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] lsasse.exe

 

O4 - HKCU\..\Run: [Microsoft Update Machine] lsasse.exe

Reboot and delete the file lsasse.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0