• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Progressiveboink

Help with spyware and homepage hiijackers

2 posts in this topic

Hello, recently I've been having a lot of trouble with certain forms of spyware. I'm usually pretty careful about what I download and which sites I visit, but I've recently had to start sharing my PC, and as a result, I've been bombarded with various annoyances ranging from pop-ups to homepage hiijackers. I've been sure to keep up to date versions of both Spybot and Ad-Aware, but neither have been able to remove the offending spyware. I just downloaded hiijack this, but I'm still not too sure of myself when it comes to removing the offending programs Any help you guys could offer would be especially appreciated.

 

Anyway, here's my hiijack this log

 

Logfile of HijackThis v1.98.0

Scan saved at 12:54:14 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\WINNT\System32\gearsec.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINNT\kdx\KHost.exe

C:\WINNT\System32\P2P Networking\P2P Networking.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\HTMROA~1\WaveProc.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\VVSN\VVSN.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\AIM\aim.exe

C:\Documents and Settings\Lisa\Application Data\ootr.exe

C:\WINNT\System32\whqg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\assembly\temp\unacc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...ssiveboink.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net;<local>

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {68FD3350-E21A-54EE-8327-16550CD0291F} - C:\WINNT\System32\oahkzbnu.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Boneactive - {42CE64A4-E9C0-FFF1-56FD-718AD36BBE22} - C:\PROGRA~1\COMPGR~1\Dalewma.dll

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe

O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Heck defy] C:\PROGRA~1\HTMROA~1\WaveProc.exe

O4 - HKLM\..\Run: [unacc] C:\WINNT\assembly\temp\unacc.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Owner\Desktop\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Lisa\Application Data\ootr.exe

O4 - HKCU\..\Run: [Oej] C:\WINNT\System32\whqg.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Owner\Desktop\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_4_0.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by9fd.bay9.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Share this post


Link to post
Share on other sites

Hello Lisa

 

You may find it helpful to print out these instructions.

 

First of all, you are running hijackthis out of a temporary directory. Can you please create a folder in C:Program Files and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder.

 

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

 

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...ssiveboink.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {68FD3350-E21A-54EE-8327-16550CD0291F} - C:\WINNT\System32\oahkzbnu.dll

 

O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe

 

O4 - HKLM\..\Run: [Heck defy] C:\PROGRA~1\HTMROA~1\WaveProc.exe

O4 - HKLM\..\Run: [unacc] C:\WINNT\assembly\temp\unacc.exe

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Lisa\Application Data\ootr.exe

O4 - HKCU\..\Run: [Oej] C:\WINNT\System32\whqg.exe

 

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab

 

This item is considered to be a resource hog that is not needed and it may be worthwhile to fix it with HJT. You will still be able to start it manually if you need it...

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

Make sure you have all hidden files shown

 

Delete the following entries:

Files

C:\Documents and Settings\Lisa\Application Data\ootr.exe

C:\WINNT\System32\whqg.exe

C:\WINNT\assembly\temp\unacc.exe

 

Folders

C:\PROGRA~1\HTMROA~1

C:\Program Files\VVSN

 

Empty the contents of your temporary folders

  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin"

Open your Windows Explorer and navigate to C:\PROGRA~1\COMPGR~1\Dalewma.dll

rightclick the file and choose properties from the menu that appears...

Note down all the information you see in there and add it to your next reply...

Make sure you have looked at all the tabs...Can you give me the full path name of the folder as well. It needs to be fixed but I want to know exactly what it is first.

 

Reboot and post a fresh log so we can check that everything so far has been cleaned.

 

*****

 

These items are optional - what do with them is up to you.

 

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

 

Then fix this line with HJT

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Programs to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'. P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone. Download it to a permanent folder, then run it, check the box 'Search and Destroy', and hit Go.

 

The same principle as Kazaa applies to Bearshare - if you have the free version. The bought version is clean of adware. The free version is adware loaded and can stealth install other programs. If you wish to remove it then do it through add/remove programs and then have HijackThis fix this line...

 

O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0