Jump to content


Photo

help


  • Please log in to reply
4 replies to this topic

#1 johnnywel

johnnywel

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 09:20 PM

I have read and tried all of the suggestions to remove the browser hijackers. I have run a search with spy bot and with CW Shredder. I tried to download Ad-aware but the hijacker seems to not let the download occur. I have run HiJack this and this is the report that it gave.
If you could take a look at this, I would be greatly appreciative.

Logfile of HijackThis v1.97.7
Scan saved at 7:36:47 PM, on 6/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINNT\system32\wind.exe
C:\WINNT\runwin32.exe
C:\WINNT\wininet32.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O4 - HKCU\..\Run: [wind.exe] C:\WINNT\system32\wind.exe
O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 09:45 PM

Hello johnny

Looks like you have a combined virus/spyware problem

These processes are either viral or a variant of cool web search so they need to go


O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O4 - HKCU\..\Run: [wind.exe] C:\WINNT\system32\wind.exe
O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe

and i would also remove these as well
restart your computer afterwards and then see if you can download adaware
http://www.lavasoft....pport/download/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

Edited by Charybdis, 08 June 2004 - 09:55 PM.


#3 johnnywel

johnnywel

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 10:27 PM

Hi Charybdis,
I was able to download Ad Aware and it pulled up about 25 problems. Transponder data miner, tracking cookies, and coolWebSearch. The interesting thing is that the cool websearch stuff seems to be attached to a bunch of the my favorites. I'm assuming that I should delete these particular favorites.
Also, when I run CW shredder it says that "All not present" for known trojans but it cleans up or "restores" 8 items in the Internet Explorer Pages.
I will delet all of the things that Ad Aware brought up. Should I then send you a new list from the HiJack this? Thanks for you help and I am going to see if everything appears to be ok.
-Johnny

#4 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 10:29 PM

Delete everything adaware found, did you update adaware before running it, also i forgot to mention to tell you to open adaware, click start then customize then tick scan my hosts and my favourites.

note, cwshredder will only remove cool web search, you need another antivirus program to remove the others

try
http://www.bitdefend...can/licence.php

sorry gotta go be back in about 2 hrs

Edited by Charybdis, 08 June 2004 - 10:44 PM.


#5 johnnywel

johnnywel

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 11:01 PM

Hi Charybdis,
It looks like everything is ok. I'll check and let you know if this pops up again. I really appreciate your help and think that this solved everything.
John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button