Jump to content


Photo

SpySweeper & Ad-Aware Won't Kill It


  • Please log in to reply
1 reply to this topic

#1 hitranger

hitranger

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 July 2004 - 02:52 PM

My Windows ME running IE 5.50 is infected with some kind of adware and I'm running Ad-Aware, SpySweeper, HiJackThis! and PopThis! and still the darn thing keeps re-generating. SpySweekper finds the bugs and deletes them, but 1 minute later they come back, even as I type this, something called java.exe keeps trying to start up and SpySweeper keeps telling me and I keep deleting it.
My default homepage keeps being hijacked to:
res://jcjhi.dll/index.html#96676
I ran the HiJackThis logfile and attached it. Any help would be appreciated...
Logfile:

Logfile of HijackThis v1.98.0
Scan saved at 2:00:57 PM, on 7/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\IEBD32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\JAVATU.EXE
C:\WINDOWS\DESKTOP\HJTLOG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jcjhi.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jcjhi.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jcjhi.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jcjhi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jcjhi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jcjhi.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A7367BB2-EC6D-86CC-D35F-619C39373118} - C:\WINDOWS\WINNX32.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E10CFF79-7387-A961-D8F3-A733C71183E3} - C:\WINDOWS\WINSY32.DLL (file missing)
O2 - BHO: Class - {992CC6B0-F19C-96EB-B2AC-26F988029CAD} - C:\WINDOWS\IPQN.DLL (file missing)
O2 - BHO: Class - {C4012D49-A194-A75E-2913-A6B0116BD90C} - C:\WINDOWS\IECT32.DLL (file missing)
O2 - BHO: Class - {A78C683B-955A-AA50-0ABD-D5989A728228} - C:\WINDOWS\SYSTEM\SDKFG.DLL (file missing)
O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\JAVADJ.DLL (file missing)
O2 - BHO: Class - {372F8931-D513-1387-33C0-8D1E94346E23} - C:\WINDOWS\CRTW32.DLL (file missing)
O2 - BHO: Class - {45095715-4837-DE78-F8F8-76551A4633CF} - C:\WINDOWS\SYSTEM\MSHM32.DLL
O2 - BHO: Class - {CDC4F9B8-74D2-78D7-264C-744CE85D9BF8} - C:\WINDOWS\SYSTEM\SYSGE.DLL (file missing)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpyStopper] C:\PROGRAM FILES\SPYSTOPPER\spystopper.exe
O4 - HKLM\..\Run: [JAVATU.EXE] C:\WINDOWS\JAVATU.EXE
O4 - HKLM\..\RunServices: [NTWS.EXE] C:\WINDOWS\NTWS.EXE
O4 - HKLM\..\RunServices: [WINKL32.EXE] C:\WINDOWS\SYSTEM\WINKL32.EXE
O4 - HKLM\..\RunServices: [NETXS.EXE] C:\WINDOWS\SYSTEM\NETXS.EXE
O4 - HKLM\..\RunServices: [MSNR32.EXE] C:\WINDOWS\MSNR32.EXE
O4 - HKLM\..\RunServices: [APPYN.EXE] C:\WINDOWS\SYSTEM\APPYN.EXE
O4 - HKLM\..\RunServices: [IPBB32.EXE] C:\WINDOWS\SYSTEM\IPBB32.EXE
O4 - HKLM\..\RunServices: [NETLX.EXE] C:\WINDOWS\NETLX.EXE
O4 - HKLM\..\RunServices: [MSUF.EXE] C:\WINDOWS\MSUF.EXE
O4 - HKLM\..\RunServices: [MSKM.EXE] C:\WINDOWS\MSKM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CRLH.EXE] C:\WINDOWS\CRLH.EXE
O4 - HKLM\..\RunServices: [MFCWG.EXE] C:\WINDOWS\SYSTEM\MFCWG.EXE
O4 - HKLM\..\RunServices: [MFCWB.EXE] C:\WINDOWS\MFCWB.EXE
O4 - HKLM\..\RunServices: [IEBD32.EXE] C:\WINDOWS\SYSTEM\IEBD32.EXE
O4 - HKLM\..\RunServices: [MSJX.EXE] C:\WINDOWS\SYSTEM\MSJX.EXE
O4 - HKLM\..\RunServices: [MFCAO32.EXE] C:\WINDOWS\MFCAO32.EXE
O4 - HKLM\..\RunServices: [APPNH32.EXE] C:\WINDOWS\SYSTEM\APPNH32.EXE
O4 - HKLM\..\RunServices: [MSKY32.EXE] C:\WINDOWS\MSKY32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Printkey-Pro.lnk = C:\Program Files\Printkey-Pro\Printkeypro.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL (file missing)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL (file missing)
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Thanks for any help provided....Deryl

#2 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 28 July 2004 - 03:18 PM

Hello Hitranger, and welcome to the forums. Please print out my instructions for reference during the fix.

1. Download About:Buster from http://www.ducky.atribune.org/

2. Boot in Safe Mode - Hit the F8 key several times while booting, until you get a menu.

3. Run About:Buster while you are in Safe Mode. Hit Ok on the first prompt, Start on the second. Then Ok to start the removal. A log will start to form. After the program runs. Save the log somewhere.

4. Repeat Step 3.

After you do that, reboot and post a new Hijack This log along with the About: Buster logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button