Jump to content


Photo

About:blank


  • Please log in to reply
28 replies to this topic

#1 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 12 June 2004 - 10:22 AM

By following Microsoft Knowledge Base Articlel 320159, I went to open regedit, then HKEY-CURRENT-USER/Softare/Microsoft/Internet Explorer/main and changed Homepage about:blank to what I wanted with EXACT URL. This has lasted at least overnight for the first time.
However something still has control over my ISP connection and is sending and receiving thousands of bytes per minute to and from some unknown source. Nothing is open but this page and the problem will continue even if I shut everything down but the ISP connection,
The shotgun blasts of AdAware, Spybot and Hihack this seem to have at least gotten rid of the MSIE.TV/popup.
Any ideas on the send and receive problem?
Any one tried uninstall and reinstall the whole Internet Explorer package?
Running Windows XP on a new Gateway (where it is not inconceivable the infection came from)

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 June 2004 - 10:42 AM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

Thank you.

#3 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 12 June 2004 - 07:30 PM

I have HijackThis and haved scanned. No clue as to how to post to this forum, although from the thousands here, it must be easy. Thanks. Is there an easier way than going to every page to find a reply?

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 June 2004 - 10:27 PM

All you need to do is to run HijackThis, click on "Scan", after it has run, "Scan" will change to "Save Log". Click on it and accept the location etc and simply click on "Save". From there, notepad will open with the log in it. Click on "Edit" => "Select All" => "Edit" => "Copy". The in this message, click on "Add Reply" and right click on an empty spot of the message window and select "Paste" from the drop down menu. This will paste the contents of your log into a reply.

From there I can review what is happening and give you instructions on how to proceed.

#5 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 13 June 2004 - 10:20 AM

PGPhantom: Here 'tis. Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 8:16:33 AM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\tnmng.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\slrundll.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F1EA0F0B-48B5-4779-974F-924FAF4A6284} - C:\WINNT\System32\pmh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mswspl] C:\WINNT\tnmng.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7251FCA5-0025-4639-BDAA-0A7817E70042}: NameServer = 66.81.7.158 66.81.0.252

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 13 June 2004 - 11:03 AM

Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files available in the event that they are needed.

How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {F1EA0F0B-48B5-4779-974F-924FAF4A6284} - C:\WINNT\System32\pmh.dll
O4 - HKLM\..\Run: [mswspl] C:\WINNT\tnmng.exe

Please reboot into safe mode - How do I boot into "Safe" mode?

The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleteed while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc lised are not present - Do not worry, just delete those that you can find. If no path is lited, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" .> "All Files and Folders" and type in the file name. You can delete it right from the search results window.
  • DIRECTORY CONTENTS (But not the directory)
    • C:\Windows\Temp\
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Empty your "Recycle Bin"
  • DIRECTORIES
    • Nothing Yet
  • FILES
    • C:\WINNT\System32\pmh.dll
    • C:\WINNT\tnmng.exe
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#7 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 13 June 2004 - 05:28 PM

Followed your good instructions as best I could. Used AdAware for CoolSearch Removal (as usual 3 entries); found "...tnmng.exe3B69A8AA" (deleted) and just plain old tnmng (not deleted) as well as other references to AdAware and PCHealth, probably where they tried to help. I have spent (wasted?) more time fooling with this computer in 3 months than my old one in 6 years. I appreciate your efforts very much. Have to admit I tried "history" to find this post again: gone with Temp Internet Files. Is there an easier way to follow the thread than searching my name for past posts? Should I go back to regedit to change my home page again? That worked for two whole days. Awaiting further instructions.
Just checked my ISP status and for now iit not running away as usual.


Logfile of HijackThis v1.97.7
Scan saved at 3:14:09 PM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 13 June 2004 - 06:29 PM

To follow the thread - At the top of the page towards the left is "My controls" - You can link to all your topics from there. Read this post for additional information.

Your log is looking clean now :)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#9 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 15 June 2004 - 11:05 AM

Thanks again for your help. Things seem to be running more smoothly. I did get my standard 3 Coolweb hits on Adaware this morning, but Spybot was OK. All the R1 lines you told me to delete on Hijackthis were back, so I deleted them again. I guess I'll have to take the time to download Spywareblaster or the other one (I hae a slow modem). The addy is a little off, but no problem.

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 15 June 2004 - 11:36 AM

My pleasure :) If you have any more problems - You know where to visit :D

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 15 June 2004 - 11:37 AM

Also - Thanks for the note on the address - Missed that completely.

#12 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 10:53 AM

My worst problem, the runaway ISP activity, seems to be mostly gone, but not entirely; when it behaves, my browser is pleasantly quicker. I installed Spywareblaster yesterday and had it running (if it is automatic), but it never picked anything up. At logon this AM, I had all the R1's back on HJT, 3 CoolWS + "Trading Co" on AdAware, a Cool WS.searchx on CoolWebShredder that AdAware missed and a clean SpyBot. So I still need to do some things, I guess.
How much "byte out and byte in" activity on ISP status box is normal when all pages are "done?" I think I can live with home page hijacks if Isp activity is normal. Popups, such as Msie.tv are gone as is the unasked for "Connect to the Internet" box that used to come up at boot; if I had had "connect automatically" enabled, I would have been connecting continually. Ideas appreciated when you get a chance.

#13 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 11:37 AM

I am surprised that you are not running any kind of firewall. check my signature for a link to ZoneAlarm which is a free firewall. Give it a try and let me know if the activity is reduced.

#14 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 20 June 2004 - 11:17 AM

PGPhantom: I downloaded the ZoneAlarm firewall you recommended. It catches an attempted intrusion about every 10 minutes when I am online. The good news is that my runaway ISP connection seems to have really settled down!
I think that all the downloads I have had to make in addressing my spyware problems have filled up the memory of my new computer and now I need another one; just kidding.
Still a little concerned about all the R1's you said to fix on HiJackThis returning every bootup. I fix 'em every time, but would like to see them gone, if they should be. I didn't run CWShredder this morning, but it has been catching 3 everytime as well.

#15 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 June 2004 - 11:48 AM

Can you post a new log with those R1 entries - Maybe they are the new CWS infection, if so, I can give you a procedure to clear them up, once and for all ...

#16 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 June 2004 - 10:00 AM

PGPhantom: This is this morning's HJT log. The R1 entries look like the ones I sent before. Looking forward to your invaluable input as always. Welcome to Summer. Jim

Logfile of HijackThis v1.97.7
Scan saved at 7:55:34 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {50C9F7C8-F55A-4BF5-9A28-EF1C98CA3CA7} - C:\WINNT\System32\aancee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

#17 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 10:29 AM

  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {50C9F7C8-F55A-4BF5-9A28-EF1C98CA3CA7} - C:\WINNT\System32\aancee.dll
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • Nothing Yet
    • FILES C:\WINNT\System32\aancee.dll
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#18 Wulfespirit

Wulfespirit

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 11:47 AM

I have the same issue, Phantom. The solution you've posted works temporarily. But the same issue (random DLL created & start page changed to about:blank) appears back within 1-4 hours. I'm at a loss on this one. :(

The subsequent HT log after the last reboot will look clean right up until reinfection.

Edited by Wulfespirit, 21 June 2004 - 11:50 AM.


#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 11:57 AM

Wulfespirit - PLease start your own Request as trying to support multiple people in the same request gets far too confusing for everyone concerned.

Thank you.

#20 Wulfespirit

Wulfespirit

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 12:11 PM

My apologies, Phantom. I didn't want to open an essentially duplicate thread. If this one gets solved then I'm confident my problem will be too.

#21 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 12:19 PM

Although I agree with you to an extent, the issue is that everones system is different. Even for this Hijack, the .exe files, the dll etc are all different on every computer and if you delete the wrong file ... Goodbye system. I would rather exercise on the side of caution when dealing with these kinds of problems.

#22 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 22 June 2004 - 10:25 AM

PGPhantom: I will follow your last instructions at the end of this online session.
They are quite similar to the ones from June 13, which did result in a little, albeit temporary, improvement. Then the WINNT System 32 file was "pmh;" yesterday it was "aancee" and today it is "kpfida." Should I delete whatever System 32 is showing? I cleared all the R's yesterday afternoon and they were all back this morning, without internet connection in between. Also what is the advantage of safe mode deletion? Last, my new ZoneAlarm is one busy fellow, having blocked 5 or 6 attempts in the past 10 minutes. Would an update to the next level and the ability to trace the sources be worth the money? Thanks again for your help.

#23 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 10:50 AM

PLease post a new log. The firewall activity is because of the .exe files on your system trying to reconnect.

#24 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 22 June 2004 - 11:10 AM

Here is the new log. I'll come back in a few hours to see your instructions.


Logfile of HijackThis v1.97.7
Scan saved at 9:04:37 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {982EBF06-CC56-4531-B063-C702DB270CEF} - C:\WINNT\System32\kpfida.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7251FCA5-0025-4639-BDAA-0A7817E70042}: NameServer = 66.81.7.158 66.81.0.252

#25 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 12:14 PM

  • How do I boot into "Safe" mode?
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked" (NOTE: This is done while in safe mode):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {982EBF06-CC56-4531-B063-C702DB270CEF} - C:\WINNT\System32\kpfida.dll
  • The following is a recommended maintenance regime for Windows XP:
    • Please reboot into safe mode - How do I boot into "Safe" mode?
    • The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change. If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
      • DIRECTORY CONTENTS (But not the directory)
        • %windir%\prefetch\
        • %windir%\Temp\
        • %temp%\
        • %userprofile%\Local Settings\Temp\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • DIRECTORIES
        • Nothing Yet
      • FILES
        • Nothing Yet
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click pn "OK". Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#26 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 03:47 PM

One more HJT log for PGPhantom. I could not find the exact "prefetch" line. Things have been working better. The ZoneAlarm has stopped getting so many hits; they seem to have been coming from outside, not inside, my computer, with sources enumerated. I think I may be on top of this, thanks to your help. I seems that a lot of the problem can be avoided by starting an internet session with email and the clicking on any link to get on the net. Looking forward to your next missive.

Logfile of HijackThis v1.97.7
Scan saved at 1:37:12 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\slrundll.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7251FCA5-0025-4639-BDAA-0A7817E70042}: NameServer = 66.81.7.158 66.81.0.252

#27 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 24 June 2004 - 03:57 PM

Your log looks about as clear as they can get :)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#28 jimarm

jimarm

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 11:54 AM

PGPhantom: I already have SpywareBlaster (it catches something every once in a while), SpyBot and AdAware. When I logged in this morning, HJT showed the clear log and, amazingly, the default homepage I set yesterday afternoon; I checked this on "settings" on my connection box. After reading my email, I checked again and it had gone back to "about:blank." SOB!! I also just ran HJT again and got all the old R1's, the R0 and the System 32 this time was hjb.dll. So no real progress.
I am beginning to think Yahoo may be responsible for this infection. While I was reading my email, I looked at several yahoo group posts and got a yahoo cookie request on each of them. That was the only activity I can see that could have changed my home page setting. I also reset the default homepage 5 minutes ago and it is again back to about:blank.
I see this problem again and again in posts from other members, with many different approaches trying for fixes. I don't think I've seen any posts saying "Hooray, it's finally gone."
Someone has to find out the source of this problem. Safebooting, deletion of files etc. on a daily basis can't be the answer.
Sorry to sound so discouraged, but this is a bear. At least ZoneAlarm or something else I've seems to keep my ISP activity under control.

#29 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 25 June 2004 - 12:00 PM

Did you load Spywareguard - That works in preventing changes. Do you have a firewall?

Suggestions I give to XP users:

The following is a recommended maintenance regime for Windows XP:
  • The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.
  • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:
    • Office documents
    • Email data - Messages and address book
    • Games saves.
    • Digital Photos and other artwork.
    • Moveis that you have created or edited.
    • MP3's and other music files.
    • Browser favorites and bookmarks.
    • Downloaded files/programs.
    • Passwords, security codes etc for anything that is password protected like Quicken.
    • Activation codes for applications doownloaded and registered.
  • Do not go without an anti-virus program. Free ones include:
  • Be sure to run a periodic Trojan Scan with any of the following programs:
  • Use a Firewall such as ZoneAlarm
  • Regularly scan for adware and spyware using the following programs:
  • Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".
  • Update your system. Go to Microsoft Windows Update and download all critical updates for your system.
  • Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".
  • Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.
  • As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button