Jump to content


Photo

Spyware Issues: Need Help


  • Please log in to reply
5 replies to this topic

#1 Ebutter4u

Ebutter4u

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 05:57 PM

Logfile of HijackThis v1.98.0
Scan saved at 7:36:46 PM, on 7/7/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\task32.exe
C:\WINNT\kernel32.pif
C:\WINNT\System32\wininetd.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\WEBERA~1\weraser.exe
C:\WINNT\System32\explorer.exe
C:\Documents and Settings\butter\Application Data\theb.exe
C:\WINNT\szchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://solar.directw....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solar.directw....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://solar.directw....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://solar.directw....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://solar.directw....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://solar.directw....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://solar.directw....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\butter\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://solar.directw....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r6.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\System32\winnet.dll
O2 - BHO: (no name) - {FFFAF608-2EC8-4CE1-8F3D-7CAB20F88A12} - C:\WINNT\System32\namjkaa.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\task32.exe
O4 - HKLM\..\Run: [netconfig] kernel32.pif
O4 - HKLM\..\Run: [wininetd] C:\WINNT\System32\wininetd.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone system] C:\WINNT\szchost.exe
O4 - HKLM\..\Run: [winupd] C:\WINNT\System32\winupd.exe
O4 - HKCU\..\Run: [Web Eraser] C:\PROGRA~1\WEBERA~1\weraser.exe min
O4 - HKCU\..\Run: [Rsce] C:\Documents and Settings\butter\Application Data\theb.exe
O4 - Startup: Web Eraser.lnk = C:\Program Files\WebEraser\wedemo.htm
O4 - Startup: DLHelperEXE.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hmcmxzwk.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://195.225.177.8....chm::/cool.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.179.54/...nsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com...m::/newhelp.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = attbi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D5EF8D1-FB22-4662-8DD1-1265A0F08584}: Domain = attbi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = attbi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = attbi.com
O18 - Filter: text/html - {7F73B8A9-372B-4792-B057-810C61AA7508} - C:\WINNT\System32\namjkaa.dll
O18 - Filter: text/plain - {7F73B8A9-372B-4792-B057-810C61AA7508} - C:\WINNT\System32\namjkaa.dll

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 06:24 PM

Hello Ebutter4u. As some experts may say your computer is swiss cheese at the moment.

First download Ad-Aware 6.0. Install it. Run it and update by hitting the globe in the top right hand corner and then connect. When it sais found new reference file hit ok. Then hit finished.

Secondly hit next and right after than scan. The program should scan for files. Once it is done hit next. Check the boxes fir removal next to all the items in Ad-Aware. Then hit next to start removal. Restart your computer.

Then..

Then download CWShredder. Unzip it to a permanent folder and run it. Hit Fix. Let it run and remove stuff. Once it is done hit Exit. Next restart one more time.

You may be breaking a sweat by now but thats ok :).

Next can you please locate this file C:\WINNT\System32\namjkaa.dll. Send it to Here. Remember to zip it up before you send it. Now post a new Hijack This log.

Edited by RubbeR DuckY, 07 July 2004 - 06:24 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 Ebutter4u

Ebutter4u

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 08:18 PM

Thanks for your help.
I followed the directions, but I can't find the file namjkaa.dll

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 08:28 PM

Its ok .. please post a new log after all the directions except the last one have been completed.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 Ebutter4u

Ebutter4u

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 08:59 PM

Here is the log after completing all of the directions except for the last one.

Logfile of HijackThis v1.98.0
Scan saved at 10:48:56 PM, on 7/7/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\task32.exe
C:\WINNT\kernel32.pif
C:\Documents and Settings\butter\Application Data\theb.exe
C:\WINNT\szchost.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r6.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\System32\winnet.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\task32.exe
O4 - HKLM\..\Run: [netconfig] kernel32.pif
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone system] C:\WINNT\szchost.exe
O4 - HKCU\..\Run: [Web Eraser] C:\PROGRA~1\WEBERA~1\weraser.exe min
O4 - HKCU\..\Run: [Rsce] C:\Documents and Settings\butter\Application Data\theb.exe
O4 - Startup: Web Eraser.lnk = C:\Program Files\WebEraser\wedemo.htm
O4 - Startup: DLHelperEXE.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://195.225.177.8....chm::/cool.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//sc...id=dp::/win.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com...m::/newhelp.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = attbi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D5EF8D1-FB22-4662-8DD1-1265A0F08584}: Domain = attbi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = attbi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = attbi.com
O19 - User stylesheet: C:\WINNT\win32.bmp

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 10:53 AM

Hello Ebutter4u. A few more things we have to do. Please startup Hijack This and tick the boxes next to these items.


O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\System32\winnet.dll
O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\task32.exe
O4 - HKLM\..\Run: [netconfig] kernel32.pif
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKCU\..\Run: [Rsce] C:\Documents and Settings\butter\Application Data\theb.exe
O4 - Startup: DLHelperEXE.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://195.225.177.8....chm::/cool.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//sc...id=dp::/win.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com...m::/newhelp.exe
O19 - User stylesheet: C:\WINNT\win32.bmp

Then close all windows and hit fix checked. Restart your computer.
Next delete the following files.

Files


C:\nosuch
C:\WINNT\win.exe
C:\WINNT\win32.exe
C:\WINNT\win32.bmp
C:\WINNT\system32\task32.exe
C:\Documents and Settings\butter\Application Data\theb.exe

DLHelperEXE.exe - Do a search for it
kernel32.pif - Do a search for it


They may be hidden see Here on how to.

Then restart once more. Id strongly suggest any or all of the online virus scans below.Restart and post a new Hijack this log.

Edited by RubbeR DuckY, 08 July 2004 - 10:53 AM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button