Jump to content


Photo

Browser Hijacked & Pop-ups MERGED 2


  • Please log in to reply
23 replies to this topic

#1 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 July 2004 - 05:39 PM

A few months ago my browser startup page was changing to something eles. I had no idea what it was caused then I heard it could be caused be spyware. I went and got Spybot S&D but my browser still would be changed everytime I started up the browser. Recently I started getting alot of pop-ups about spyware removeal and all of that "click here to scan your PC!" crap.Also I noticed that the pop-up blocker on my browser taskbar has disapeared. Of course I never click on any of it. I recently got Ad-aware and it still changes. Someone told me about "Hijack This!" so I got it but I don't know what to delete. So I decided to check out these forums.

So here's my log (I didn't see an option to put it as an atachment):
Sorry I just found out there was an update so here's the new log.

Logfile of HijackThis v1.98.0
Scan saved at 5:39:12 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\system32\javabj.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\system32\netqg32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Cheryl\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch....aspx?tb_id=401
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmqip.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmqip.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zmqip.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zmqip.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmqip.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmqip.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch....aspx?tb_id=401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7A23E735-EC07-BB26-5CF0-DCDEBB6EADC9} - C:\WINDOWS\sdkwn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.111-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [netqg32.exe] C:\WINDOWS\system32\netqg32.exe
O4 - HKLM\..\RunOnce: [msbo32.exe] C:\WINDOWS\system32\msbo32.exe
O4 - HKLM\..\RunOnce: [javabj.exe] C:\WINDOWS\system32\javabj.exe
O4 - HKLM\..\RunOnce: [sdkwv.exe] C:\WINDOWS\system32\sdkwv.exe
O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\wincq.exe
O4 - HKLM\..\RunOnce: [apisa.exe] C:\WINDOWS\system32\apisa.exe
O4 - HKLM\..\RunOnce: [mfcye32.exe] C:\WINDOWS\mfcye32.exe
O4 - HKLM\..\RunOnce: [appqm32.exe] C:\WINDOWS\appqm32.exe
O4 - HKLM\..\RunOnce: [winuz.exe] C:\WINDOWS\system32\winuz.exe
O4 - HKLM\..\RunOnce: [syslu32.exe] C:\WINDOWS\syslu32.exe
O4 - HKLM\..\RunOnce: [addka32.exe] C:\WINDOWS\addka32.exe
O4 - HKLM\..\RunOnce: [sdkqo.exe] C:\WINDOWS\system32\sdkqo.exe
O4 - HKLM\..\RunOnce: [ntaf.exe] C:\WINDOWS\ntaf.exe
O4 - HKLM\..\RunOnce: [ipwn32.exe] C:\WINDOWS\ipwn32.exe
O4 - HKLM\..\RunOnce: [crww32.exe] C:\WINDOWS\system32\crww32.exe
O4 - HKLM\..\RunOnce: [apine32.exe] C:\WINDOWS\system32\apine32.exe
O4 - HKLM\..\RunOnce: [sysmm.exe] C:\WINDOWS\system32\sysmm.exe
O4 - HKLM\..\RunOnce: [addya32.exe] C:\WINDOWS\addya32.exe
O4 - HKLM\..\RunOnce: [ntki.exe] C:\WINDOWS\system32\ntki.exe
O4 - HKLM\..\RunOnce: [addjs32.exe] C:\WINDOWS\system32\addjs32.exe
O4 - HKLM\..\RunOnce: [apils.exe] C:\WINDOWS\system32\apils.exe
O4 - HKLM\..\RunOnce: [ntej32.exe] C:\WINDOWS\ntej32.exe
O4 - HKLM\..\RunOnce: [iprn32.exe] C:\WINDOWS\system32\iprn32.exe
O4 - HKLM\..\RunOnce: [ipvz.exe] C:\WINDOWS\system32\ipvz.exe
O4 - HKLM\..\RunOnce: [sdkqw.exe] C:\WINDOWS\system32\sdkqw.exe
O4 - HKLM\..\RunOnce: [applk32.exe] C:\WINDOWS\system32\applk32.exe
O4 - HKLM\..\RunOnce: [d3od32.exe] C:\WINDOWS\system32\d3od32.exe
O4 - HKLM\..\RunOnce: [crhd.exe] C:\WINDOWS\crhd.exe
O4 - HKLM\..\RunOnce: [apibd32.exe] C:\WINDOWS\apibd32.exe
O4 - HKLM\..\RunOnce: [ipxd32.exe] C:\WINDOWS\ipxd32.exe
O4 - HKLM\..\RunOnce: [wingh32.exe] C:\WINDOWS\system32\wingh32.exe
O4 - HKLM\..\RunOnce: [winqz.exe] C:\WINDOWS\system32\winqz.exe
O4 - HKLM\..\RunOnce: [syscm.exe] C:\WINDOWS\system32\syscm.exe
O4 - HKLM\..\RunOnce: [addbs.exe] C:\WINDOWS\system32\addbs.exe
O4 - HKLM\..\RunOnce: [appqy.exe] C:\WINDOWS\system32\appqy.exe
O4 - HKLM\..\RunOnce: [sdkki.exe] C:\WINDOWS\sdkki.exe
O4 - HKLM\..\RunOnce: [ipww32.exe] C:\WINDOWS\system32\ipww32.exe
O4 - HKLM\..\RunOnce: [iehw32.exe] C:\WINDOWS\iehw32.exe
O4 - HKLM\..\RunOnce: [netht.exe] C:\WINDOWS\system32\netht.exe
O4 - HKLM\..\RunOnce: [sdkqq32.exe] C:\WINDOWS\sdkqq32.exe
O4 - HKLM\..\RunOnce: [winst.exe] C:\WINDOWS\system32\winst.exe
O4 - HKLM\..\RunOnce: [msrb32.exe] C:\WINDOWS\system32\msrb32.exe
O4 - HKLM\..\RunOnce: [mfcgz.exe] C:\WINDOWS\mfcgz.exe
O4 - HKLM\..\RunOnce: [ntpd.exe] C:\WINDOWS\system32\ntpd.exe
O4 - HKLM\..\RunOnce: [winox.exe] C:\WINDOWS\system32\winox.exe
O4 - HKLM\..\RunOnce: [ipcg32.exe] C:\WINDOWS\system32\ipcg32.exe
O4 - HKLM\..\RunOnce: [appip32.exe] C:\WINDOWS\appip32.exe
O4 - HKLM\..\RunOnce: [ierj32.exe] C:\WINDOWS\ierj32.exe
O4 - HKLM\..\RunOnce: [appux32.exe] C:\WINDOWS\appux32.exe
O4 - HKLM\..\RunOnce: [msaf.exe] C:\WINDOWS\system32\msaf.exe
O4 - HKLM\..\RunOnce: [mfccv.exe] C:\WINDOWS\system32\mfccv.exe
O4 - HKLM\..\RunOnce: [atloc.exe] C:\WINDOWS\system32\atloc.exe
O4 - HKLM\..\RunOnce: [apidg.exe] C:\WINDOWS\system32\apidg.exe
O4 - HKLM\..\RunOnce: [mfcym.exe] C:\WINDOWS\mfcym.exe
O4 - HKLM\..\RunOnce: [mfckw32.exe] C:\WINDOWS\mfckw32.exe
O4 - HKLM\..\RunOnce: [crax32.exe] C:\WINDOWS\system32\crax32.exe
O4 - HKLM\..\RunOnce: [mslj32.exe] C:\WINDOWS\system32\mslj32.exe
O4 - HKLM\..\RunOnce: [msit32.exe] C:\WINDOWS\msit32.exe
O4 - HKLM\..\RunOnce: [javatu32.exe] C:\WINDOWS\javatu32.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Tchreg.lnk = C:\WINDOWS\ScnOffix\TchScan\Tchreg.exe
O4 - Startup: Headline Test.lnk = C:\WINDOWS\ScnOffix\headline.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {E302F157-A890-4B6F-A421-839D25055D6D} (NLSysInfo Control) - http://www.novalogic...b/NLSysInfo.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.co...0.20/tukati.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.reds...rsinstaller.cab

Edited by Freshenizer, 08 July 2004 - 07:41 PM.

Bringing down the hammer!

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 July 2004 - 05:47 PM

Hello please download About:Buster Version 1.25 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky

Note: You may need to run it a few times in Normal mode or reboot into safe mode and try it. Directions.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 12:44 AM

I acidently double posted when I was trying to fix something so ignore this post

Edited by Freshenizer, 09 July 2004 - 12:48 AM.

Bringing down the hammer!

#4 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 12:46 AM

Here's my Hijack This report:

Logfile of HijackThis v1.98.0
Scan saved at 10:39:31 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealArcade\RNArcade.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\javabj.exe
C:\WINDOWS\sdkwn.exe
C:\Documents and Settings\Cheryl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch....aspx?tb_id=401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {7A23E735-EC07-BB26-5CF0-DCDEBB6EADC9} - C:\WINDOWS\sdkwn.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

There was something I noticed that might be important, when I was removing everything except the R1s and R0s these programs stayed.

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {7A23E735-EC07-BB26-5CF0-DCDEBB6EADC9} - C:\WINDOWS\sdkwn.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


Here's the buster report:
Also my homepage has now been chagned to www.google.com

-- Scan 1 --------
About:Buster Version 1.26
Removed! : C:\WINDOWS\ohrgbq.dat
Removed! : C:\WINDOWS\sdkwn.dll
Removed! : C:\WINDOWS\qbzbs.dat
Error Removing! : C:\WINDOWS\sdkwn.exe.bak
Removed! : C:\WINDOWS\qbzbs.dll
Removed! : C:\WINDOWS\System32\javabj.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.26
Error Removing! : C:\WINDOWS\sdkwn.exe.bak
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Edited by Freshenizer, 09 July 2004 - 12:53 AM.

Bringing down the hammer!

#5 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 01:03 AM

I restarted my PC now I'm having the same problems again, but now my Firewall and Virus scanner have been removed from the taskbar at the bottom of my screen and now when I try to turn them back on it says I do not have permision from the administrater..
Bringing down the hammer!

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 09 July 2004 - 12:29 PM

Hey can you please post one more log. :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 02:28 PM

I'm not sure, my mom's boyfriend was a computer techy and he dosen't beleive you guy's are trying to help me even though the guy I know that works at GameSpy Industries recomended Hijack This. So he deleted ALL of my spyware removeal programs.. BTW what log do you want?

Edited by Freshenizer, 09 July 2004 - 02:29 PM.

Bringing down the hammer!

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 09 July 2004 - 02:49 PM

Well if he thinks we are not trying to help you maybe he should help you. Now if you believe we want to help you then please post another Hijack This log.

Another suggestion boot inot safe-mode and run Abou:buster 2 times. This should fix your About:Blank problem.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 09 July 2004 - 03:04 PM

From Freshenizer

I'm not sure, my mom's boyfriend was a computer techy and he dosen't beleive you guy's are trying to help me even though the guy I know that works at GameSpy Industries recomended Hijack This. So he deleted ALL of my spyware removeal programs..


You have GOT to be kidding me. Look at the thousands of posts and thousands of people we have helped at this forum. RubbeR DuckY has helped thousands of people alone with his about:buster fix. If you truly believe we are not helping you, and sitting here just wasting our time, then I suggest you go somewhere else for help removing this thing (no disrespect towards you - sounds like I need to vent my frustration at your mom's boyfriend).
:grrr: :ugh: :rant:

#10 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 03:38 PM

I know that's what I said. I got to redownload and reinstall Hijack This. On a good note I managed to fix my Firewall and Anti-Virus

Edited by Freshenizer, 09 July 2004 - 03:44 PM.

Bringing down the hammer!

#11 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 03:59 PM

I entered Safe Mode but I wasn't sure what to do after I got into it because I never used Safe Mode before
Bringing down the hammer!

#12 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 09 July 2004 - 10:24 PM

Anyway here's a new HJT log. I haven't done a about:buster scan in safe mode yet.

Logfile of HijackThis v1.98.0
Scan saved at 8:21:09 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\d3sc.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\system32\winlk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Cheryl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch....aspx?tb_id=401
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hbutl.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hbutl.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hbutl.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hbutl.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hbutl.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hbutl.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch....aspx?tb_id=401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DEE73BDA-597A-B499-19B2-6F569DFF8BCF} - C:\WINDOWS\d3vl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winlk.exe] C:\WINDOWS\system32\winlk.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [d3sc.exe] C:\WINDOWS\d3sc.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
Bringing down the hammer!

#13 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 12 July 2004 - 12:20 AM

BUMP
Bringing down the hammer!

#14 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 17 July 2004 - 10:39 PM

Did you guys suddenly foreget about me?
Bringing down the hammer!

#15 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2004 - 05:51 PM

Lately I got help removing spyware from the people at the Tech TV forums, getting my browser back and stuff like that. Lately (last 2 days) it hasn't been letting me get to the forums, it says "page cannot be displayed" but it still lets me browse around the rest of the website and other websites. This morning when I finaly got my firewall working again it asked me on startup if I wanted to let tcpsvcs.exe have internet permission and just to be safe I clicked yes. I have no idea what tcpsvcs.exe is and was wondering if any of you know or if you know what it does.
Bringing down the hammer!

#16 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 08 August 2004 - 05:53 PM

No we have not, your post just slipped through the cracks. Please post a new Hijack This log.

A note: Please do not pm moderators, or any other members, they might just get annoyed and warn you :mellow: . Instead just bump the post once every 2 days. We understand that the wait with spyware is unbearable, but we are usually swamped.

Thanks for understanding :cool:
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#17 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2004 - 05:58 PM

After all this time I have been getting help from the tech tv forums. I got my browser back and the "only the best" pop-ups to stop. However I do not think my problems are over since when I was trying to acsess the tech tv forums it says "page cannot be displayed." This morning I finaly got my firewall back up and working and it asked if I wanted to give tcpsvcs.exe internet acsess to the net and I let it just to be safe. I was wondering do you know what tcpsvcs.exe is?

And here is my HJT log:

Logfile of HijackThis v1.98.1
Scan saved at 3:57:56 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\d3fl.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Edited by Freshenizer, 08 August 2004 - 05:59 PM.

Bringing down the hammer!

#18 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 August 2004 - 06:14 PM

http://www.liutiliti...ibrary/tcpsvcs/

Application that provides network and Internet communication through TCP/IP. Started only when the user configures special TCP/IP services, such as the DHCP Server.

If you don't want it running, do Start->Run, enter services.msc
Click on DHCP Server and set it to Disabled.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#19 Homsaro

Homsaro

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 August 2004 - 06:18 PM

It seems as if you have WinTools installed, or you just removed it...

#20 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2004 - 06:31 PM

I can only find DHCP Client, also how does my log look?

Edited by Freshenizer, 08 August 2004 - 06:32 PM.

Bringing down the hammer!

#21 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 August 2004 - 06:48 PM

I don't know what this is, in your running processes, probably part of Direct3D?.
C:\WINDOWS\system32\d3fl.exe
Right-click it and check Version in its Properties.

Other than that, log appears clean to me.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#22 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2004 - 08:53 PM

I talked to one of the guys at tech tv about it before I had problems accsessing the froum and he said it was a random folder or something like that created by a trojan or worm, I thought I deleted it. It is saying that d3fl.exe is running and before I delete it I want to get confimation that it is a bad file. Can anyone find this out for me?

Edited by Freshenizer, 08 August 2004 - 09:11 PM.

Bringing down the hammer!

#23 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 August 2004 - 09:40 PM

Please do what I asked. Navigate to where the file is. Right-click its name. Select Properties. Click Version tab. What does it say? Don't delete it if it says copyright Microsoft. It should look pretty much like the pic below if it is legit.

Attached Images

  • a_cnm6.jpg

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#24 Freshenizer

Freshenizer

    Commando

  • Full Member
  • Pip
  • 28 posts

Posted 08 August 2004 - 10:02 PM

It didn't say that. Also does anyone know if the Tech TV forums are down because it won't let me acsess that lately.

Also, the only problems I'm having now is a slow start up when my Nortan Personal Firewall is installed (I currently uninstalled it and now it loads up fine) and not being able to accsess the Tech TV forums.

Edited by Freshenizer, 08 August 2004 - 11:26 PM.

Bringing down the hammer!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button