Jump to content


Photo

Help! I've shot myself in the foot!


  • This topic is locked This topic is locked
8 replies to this topic

#1 rockheadx88

rockheadx88

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 03:44 AM

For about a month now, I've been waging war against all kinds of spyware and adware and even a few viruses. One day, about a week ago, i snapped. So I went and downloaded Hijack This and Ad-Aware and Spybot in an attempt to reclaim my sanity. What I did was, I used Ad-Aware to locate the files that were bad, then i proceeded to wipe them manually from my hard drive, and then from my registry. This pretty much anhiliated my ability to get pirated music (cough kazaa cough) , but i figured what the heck, im spyware free! The only thing left that was my homepage on IE was altered, so i used my newfangled Hijack This and it found about a hundred suspicious files! So in a fit of rage I went against the programs advice and "fixed" everything I could. Now none of my online games work. :grrr:
However, I can still surf the internet, check my yahoo email account and use AOL Instant Messanger. Its only when i try to play Unreal Tourney 2004 online - or any other game online for that matter - it will not connect. (I dont know if its important or not, but i checked the console for error messages whilst in game and got a flurry of "unable to connect to master server" messages) I have left messages in the forums of some of the games im trying to play, but to no avail. My only theory is that i deleted some crucial file while using Hijack This.

Sorry for making this so long, but i will greatly appreciate any help or ideas

-sean

#2 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 27 July 2004 - 03:57 AM

For a lot of games you will need a program that prevents cheating. Do you have that? Punkbuster for example.

Kazaa sucks really, and I would remove it from your disk and install a program like Kazaa Lite, Shareaza or something like that.

My only theory is that i deleted some crucial file while using Hijack This


That's possible, how much have you fixed yourself?
Nucia Security Forums - Dutch Anti-Malware Support

#3 invis_tres

invis_tres

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 27 July 2004 - 03:58 AM

if you have the hjt in a permanent folder like c:\hjt
then run hijack this
goto config,backup
all those files that were deleted by hjt must be in those folder unless you deleted them too manually

if you know which file you need back then you can use its restore option to restore that specific file

here is a link which shows the above posts content visually
http://www.spywarein...showtopic=17999



:oops: hans reached here faster than me it seems

Edited by invis_tres, 27 July 2004 - 04:01 AM.


#4 rockheadx88

rockheadx88

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 04:10 AM

wow that was fast, thank you

Hans: Well, I fixed everything that came up on the list. For a while i could reboot and run hijack this and get no results. But thats not the case right now, i can post a log if it will be useful. For the game im concentrating on, which is called "Savage" there isnt a punkbuster or other client run anti cheat software that has to be downloaded seperatly from the game.. but at this point i will try anything (a link would help alot) Btw i agree that kazaa is horrible, i deleted all traces of it that i could find, and i wont try downloading anymore for the moment.. one step at a time.

Invis: I have HJT in it's own folder, but im not sure which files i should restore, maybe ill restore everything and see if i can play then, but incase that doesnt work, do you have any other ideas?

thank you both for your help i appreciate it

#5 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 27 July 2004 - 04:13 AM

Oh no that wasn't a good idea :(

HijackThis shows also GOOD and IMPORTANT items... follow the instructions from invis-trest and restore everything you fixed. Then reboot, make a new HijackThis log, and post it here. Experts will see if you are clean or not. (And they will say which items you only may check and fix in HJT)
Nucia Security Forums - Dutch Anti-Malware Support

#6 rockheadx88

rockheadx88

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 04:46 AM

here is the log i made after restoring everything i could and then rebooting.

Logfile of HijackThis v1.97.7
Scan saved at 2:42:48 AM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Sean\My Documents\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Sean\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Sean\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mxtabs.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Sean\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {103B2138-7CA0-4CBC-BBF5-2C7B8E67FC89} - C:\WINDOWS\System32\doabgea.dll (file missing)
O2 - BHO: (no name) - {5C5390E3-FD3F-4EF9-9A88-16A4784EB74A} - C:\WINDOWS\System32\hhpm.dll (file missing)
O2 - BHO: (no name) - {73C72424-6D8D-430E-BDD7-5AD973AEB0B7} - C:\WINDOWS\System32\doabgea.dll (file missing)
O2 - BHO: (no name) - {BBB666AA-0FEC-42DE-B199-8317B0BB3499} - C:\WINDOWS\System32\doabgea.dll (file missing)
O2 - BHO: (no name) - {BD324D66-4C32-4FF4-A9AF-AB923F20C4B8} - C:\WINDOWS\System32\aco.dll (file missing)
O2 - BHO: (no name) - {C156334F-D33C-42F0-8A83-EEEC07E6FB89} - C:\WINDOWS\System32\kblpdaa.dll (file missing)
O2 - BHO: (no name) - {E5A2D697-2161-43AD-A0EA-82A39D6D8354} - C:\WINDOWS\System32\doabgea.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [Hroc] C:\Documents and Settings\Sean\Application Data\arlt.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8193.8758680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6686F472-BE22-444A-90E8-611E1FD17B59}: NameServer = 216.174.194.53,213.174.194.54

#7 invis_tres

invis_tres

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 27 July 2004 - 05:35 AM

All you have restored are really malware only
And I don’t actually like to restore everything that was fixed but since you restored them can you play your games now??? Without problems

I don’t think so coz sp.html entries, mediaticket xxx toolbar
All are malwares
After restoring you don’t have a browser hijack???

all those bho *.dlls whose file are missing they have weird names
did you delete those .dlls manually coz hjt restores files as well as entries

#8 rockheadx88

rockheadx88

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 02:52 PM

after restoring everything all of my games still cannot connect online. but for some reason my browser isnt hijacked.. even though i restored everything on the list. I may have deleted some of the backups that were made, not sure. are those files important? if so i will try to recover them

#9 rockheadx88

rockheadx88

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 05:26 PM

<bump>

still confused..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button