Jump to content


Photo

Help with spyware and homepage hiijackers


  • Please log in to reply
1 reply to this topic

#1 Progressiveboink

Progressiveboink

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 12:02 PM

Hello, recently I've been having a lot of trouble with certain forms of spyware. I'm usually pretty careful about what I download and which sites I visit, but I've recently had to start sharing my PC, and as a result, I've been bombarded with various annoyances ranging from pop-ups to homepage hiijackers. I've been sure to keep up to date versions of both Spybot and Ad-Aware, but neither have been able to remove the offending spyware. I just downloaded hiijack this, but I'm still not too sure of myself when it comes to removing the offending programs Any help you guys could offer would be especially appreciated.

Anyway, here's my hiijack this log

Logfile of HijackThis v1.98.0
Scan saved at 12:54:14 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\kdx\KHost.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HTMROA~1\WaveProc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\AIM\aim.exe
C:\Documents and Settings\Lisa\Application Data\ootr.exe
C:\WINNT\System32\whqg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\assembly\temp\unacc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ssiveboink.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net;<local>
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68FD3350-E21A-54EE-8327-16550CD0291F} - C:\WINNT\System32\oahkzbnu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Boneactive - {42CE64A4-E9C0-FFF1-56FD-718AD36BBE22} - C:\PROGRA~1\COMPGR~1\Dalewma.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Heck defy] C:\PROGRA~1\HTMROA~1\WaveProc.exe
O4 - HKLM\..\Run: [unacc] C:\WINNT\assembly\temp\unacc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Owner\Desktop\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Lisa\Application Data\ootr.exe
O4 - HKCU\..\Run: [Oej] C:\WINNT\System32\whqg.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Owner\Desktop\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_4_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by9fd.bay9.ho...ex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 14 July 2004 - 07:13 AM

Hello Lisa

You may find it helpful to print out these instructions.

First of all, you are running hijackthis out of a temporary directory. Can you please create a folder in C:Program Files and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder.

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ssiveboink.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {68FD3350-E21A-54EE-8327-16550CD0291F} - C:\WINNT\System32\oahkzbnu.dll

O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\KazaaSkinz.exe

O4 - HKLM\..\Run: [Heck defy] C:\PROGRA~1\HTMROA~1\WaveProc.exe
O4 - HKLM\..\Run: [unacc] C:\WINNT\assembly\temp\unacc.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Lisa\Application Data\ootr.exe
O4 - HKCU\..\Run: [Oej] C:\WINNT\System32\whqg.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab


This item is considered to be a resource hog that is not needed and it may be worthwhile to fix it with HJT. You will still be able to start it manually if you need it...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

Make sure you have all hidden files shown

Delete the following entries:
Files
C:\Documents and Settings\Lisa\Application Data\ootr.exe
C:\WINNT\System32\whqg.exe
C:\WINNT\assembly\temp\unacc.exe


Folders
C:\PROGRA~1\HTMROA~1
C:\Program Files\VVSN


Empty the contents of your temporary folders
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin"
Open your Windows Explorer and navigate to C:\PROGRA~1\COMPGR~1\Dalewma.dll
rightclick the file and choose properties from the menu that appears...
Note down all the information you see in there and add it to your next reply...
Make sure you have looked at all the tabs...Can you give me the full path name of the folder as well. It needs to be fixed but I want to know exactly what it is first.

Reboot and post a fresh log so we can check that everything so far has been cleaned.

*****

These items are optional - what do with them is up to you.

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

Then fix this line with HJT

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywarein...m/articles/p2p/ If you opt to remove it, first use Add/Remove Programs to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'. P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone. Download it to a permanent folder, then run it, check the box 'Search and Destroy', and hit Go.

The same principle as Kazaa applies to Bearshare - if you have the free version. The bought version is clean of adware. The free version is adware loaded and can stealth install other programs. If you wish to remove it then do it through add/remove programs and then have HijackThis fix this line...

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button