Jump to content


Photo

badly Hijacked


  • Please log in to reply
4 replies to this topic

#1 monaman

monaman

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 11:07 AM

Thank god, I found you all
you are doing a great job
maybe you can save me too.

when I come back, the computer was full with warms.
I tried few things but nothing helps (adware, CWShredder)
I got your-searhcer on my homepage and it's keep coming back
the browser get stuck often



Here is my log file:

Logfile of HijackThis v1.97.7
Scan saved at 17:15:33, on 10/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Messenger\msmsgs.exe
D:\windows\dllhelp.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\@\Application Data\winyp\winyp32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - D:\Documents and Settings\@\Application Data\winyp\ntlc32.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - D:\Documents and Settings\@\Application Data\winyp\mfcue32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [dllhelp] d:\windows\dllhelp.exe
O4 - HKCU\..\RunServices: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "D:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 D:\DOCUME~1\@\APPLIC~1\winyp\winyp32.dll,UpdateDll s
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\temp\setup1.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8148.0782638889
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.20...er/dploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{952627D5-94E4-44CB-8127-12934D9504A7}: NameServer = 212.143.212.143 194.90.1.5

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 10 June 2004 - 11:35 AM

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - D:\Documents and Settings\@\Application Data\winyp\winyp32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - D:\Documents and Settings\@\Application Data\winyp\ntlc32.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - D:\Documents and Settings\@\Application Data\winyp\mfcue32.dll

O4 - HKLM\..\Run: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKCU\..\Run: [dllhelp] d:\windows\dllhelp.exe
O4 - HKCU\..\RunServices: [Image] rundll32 D:\WINDOWS\sdkqh32.dll,Install
O4 - HKCU\..\RunOnce: [Updater] rundll32 D:\DOCUME~1\@\APPLIC~1\winyp\winyp32.dll,UpdateDll s

O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\temp\setup1.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.20...er/dploader.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp/launcher.cab

Reboot.

Find and delete the following files and folders:

D:\WINDOWS\sdkqh32.dll
D:\Documents and Settings\@\Application Data\winyp\
d:\windows\dllhelp.exe

Scan again with HJT and post the new log in a reply to this thread.
Signature file is under revision. This will be back shortly.

#3 monaman

monaman

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 12:26 PM

Thanks
From some reason I couldn't find few of the lines you told me to fix
I did all the rest
Here is my new long



Logfile of HijackThis v1.97.7
Scan saved at 20:22:32, on 10/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8148.0782638889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 10 June 2004 - 12:58 PM

Don't worry about the missing lines.

You're clean.

Clear your Temporary Internet Files immediately. To do this, go to the Internet Controls control panel, then click "Delete Files." Tick the checkbox there, then click "OK.'

You may wish to look at Mozilla Firefox instead of IE. It has no security holes, doesn't integrate into the Windows shell (which is a bad thing due to the shell's control over the system), doesn't download anything without your approval, and doesn't get hijacked.

It also takes up less resources and uses tabs or new windows (tabs save desktop and taskbar space and make closing windows easier). It also comes with a built-in popup blocker as well as the ability to block images from servers (i.e. advertisements) with a right-click.

Firefox is immune to CWS in all its forms. You will _never_ get hijacked by CWS or any of its affiliates ever again if you use Firefox.

There's a link to it in my signature.

IE-SPYAD places over 4,000 known evil sites into the Restricted Sites zone in Internet Explorer so they can't execute ActiveX, Java, or place cookies on your machine. It's a rather nice thing to have. There's a link to it in my signature.

SpywareBlaster can prevent spyware from installing itself on your computer. It does require updating every now and again, but it's rather easy to operate. Just install, run, update, click "Protect," and you're done. Update once every month or so. There's a link in my signature.

Happy computing, and don't forget to use Windows Update once a week!
Signature file is under revision. This will be back shortly.

#5 monaman

monaman

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 02:27 PM

Thanks Man
Youe changed my life and I am not kidding
Surfing became a pleasure after a long long time




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button