Jump to content


Photo

Browser Hijacked by 680180.net Pop up ads


  • Please log in to reply
5 replies to this topic

#1 ravichima

ravichima

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 06:38 PM

I am not able to browse and browser is getting killed and so many pop ups are popping up ads and those ad windows start with something like '680180.net...'.

Read FAQs on your site, downloaded Ad-aware and scanned it - after cleaning it complained about the following that it was not able to delete:

ace.dll
wtoolsb.dll
wsup.exe
wtoolsa.exe

some of these are running in the task manager and could not kill them.

Ran ad-aware repeatedly and these could not be cleaned.

Also ran SpyBot S&D with not much help.

Ran hijackthis and cleaned some entries and ran again and
attaching the hijackthis.log from my machine - please help- thanks.


Logfile of HijackThis v1.98.0
Scan saved at 7:26:26 PM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
D:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WinNT\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\myCIO\Agent\myagttry.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\ebedttv.exe
C:\WINNT\rpcucwd..exe
D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINNT\system32\rshlb400.exe
C:\WINNT\system32\occund3d.exe
C:\Program Files\SysAI\SysAI.exe
c:\Program Files\Common Files\WinTools\WToolsA.exe
c:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\RCHIMA~1\LOCALS~1\Temp\HijackThis.exe
C:\WINNT\regedit.exe
C:\WINNT\explorer.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\My Download Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {738DC819-BA03-40C4-86C6-032D8A75755B} - C:\WINNT\system32\qprbx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - c:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [qprbxc] C:\WINNT\system32\qprbxc.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\rpcucwd..exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\system32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\system32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\system32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\system32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [vstg3EU] rshlb400.exe
O4 - HKLM\..\Run: [WinTools] c:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with X&ML Spy - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://trackit.deplo...ActiveXGrid.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vscanasap.cli...in/myCioAgt.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://trackit.deplo...MemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://trackit.deplo...rackitAudit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = deploy.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.0.201.dll

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 08:08 PM

Hello ,Welcome to SWI.
Print out these instructions so you can read them while you clean your system.

Move Hijack This to its own folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SDWin32 Class - {738DC819-BA03-40C4-86C6-032D8A75755B} - C:\WINNT\system32\qprbx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - c:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [qprbxc] C:\WINNT\system32\qprbxc.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\rpcucwd..exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\system32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\system32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\system32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\system32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [vstg3EU] rshlb400.exe
O4 - HKLM\..\Run: [WinTools] c:\Program Files\Common Files\WinTools\WToolsA.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Then continue with win tools:
Please reboot into safe mode - How do I boot into "Safe" mode?

Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.
Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.
(If the service is not there, no worries...all the better!)

Next, right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.

Now, we can proceed to delete these directories, located at:

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.


Delete this file:

C:\WINNT\system32\qprbx.dll
C:\WINNT\system32\qprbxc.exe
C:\WINNT\rpcucwd..exe
C:\WINNT\system32\readdb40.dll
C:\WINNT\system32\iel2cde8.dll
C:\WINNT\system32\he3e3fc4.dll
C:\WINNT\system32\li01f948.dll
C:\WINNT\ebedttv.exe
C:\WINNT\system32\rshlb400.exe
C:\WINNT\system32\occund3d.exe



You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#3 ravichima

ravichima

    Member

  • New Member
  • Pip
  • 3 posts

Posted 03 August 2004 - 09:14 PM

Hi mmxx66,

Thanks for the response and I did the steps you recommended - now its much better as in i dont see that many pop ups but i still see pop ups once in a while
- so I am attaching the HJT log once again here for your suggestions to clean up any remanants left.

For some reason I think the pop up are not coming from the web site i am browsing - looks like something else is serving those pop ups.

Thanks again for your help.

-Ravi



Logfile of HijackThis v1.98.0
Scan saved at 10:09:30 PM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
D:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WinNT\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\fhatqjoh.exe
D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\myCIO\Agent\myAgttry.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\psbcript.exe
C:\WINNT\system32\encptext.exe
C:\Program Files\SysAI\SysAI.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tiyvejexotu] C:\WINNT\system32\fhatqjoh.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [vstg3EU] psbcript.exe
O4 - HKLM\..\RunOnce: [TV Media] D:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eB2mROY4j] encptext.exe
O4 - HKCU\..\RunOnce: [TV Media] D:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with X&ML Spy - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://trackit.deplo...ActiveXGrid.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vscanasap.cli...in/myCioAgt.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://trackit.deplo...MemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://trackit.deplo...rackitAudit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = deploy.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.0.201.dll

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 04 August 2004 - 09:22 AM

Not clean yet.

close all open windows AND browsers and check these items for HJT to fix:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O4 - HKLM\..\Run: [tiyvejexotu] C:\WINNT\system32\fhatqjoh.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [vstg3EU] psbcript.exe
O4 - HKLM\..\RunOnce: [TV Media] D:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [eB2mROY4j] encptext.exe
O4 - HKCU\..\RunOnce: [TV Media] D:\Program Files\TV Media\Tvm.exe

For TV-Media, you will need to run this Regedit:

Copy the entire contents inside of the QUOTE box into Notepad, hit enter to add a blank line. Then save as remove.reg (save as type: 'all files' ) to the desktop

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Go to the Desktop and DoubleClick Remove.reg, hit yes on the prompt to add its contents to the Registry!

Reboot to Safe Mode
How to start the computer in Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files:
C:\WINNT\system32\fhatqjoh.exe
C:\WINNT\system32\psbcript.exe
C:\WINNT\system32\encptext.exe
Delete this folder:
D:\Program Files\TV Media

Delete the content of these folders:
C:\WINNT\Temp < delete all the files inside this folder
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp < delete all the files inside this folder
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


Finally, do an online scan HERE. Let it remove any infected files found.
Reboot to normal mode, scan again with Hijack This and post a new log here.

#5 ravichima

ravichima

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 August 2004 - 06:16 PM

Now its much better - havent seen any pops ups after doing those instructions -
Here is my new log.

Thanks for the help.

Logfile of HijackThis v1.98.0
Scan saved at 7:13:39 PM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
D:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WinNT\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\Explorer.EXE
D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Edit with X&ML Spy - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - d:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\Netscape\COMMUN~1\Program\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta....er/tdserver.cab
O16 - DPF: {25D8D7E0-2A54-4D4D-A55D-C247D83C0A75} (BOSIActiveFormX Control) - http://trackit.deplo...ActiveXGrid.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vscanasap.cli...in/myCioAgt.cab
O16 - DPF: {7A39242D-58D7-421D-81EF-BD67FEBDDBB2} (BOSIActiveXMemo Control) - http://trackit.deplo...MemoControl.cab
O16 - DPF: {ABE0CADC-D722-4D73-A845-8948FF858A02} (Audit Object) - http://trackit.deplo...rackitAudit.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Deploy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = deploy.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = deploy.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.0.201.dll

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 05 August 2004 - 07:53 PM

This item is considered to be resource hog that is not needed and it may be worthwhile to fix it with HJT. You will still be able to start it manually if you need it:
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Good luck :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button