• ### Announcements

• #### IE 11 copy/paste problem

It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Followers 0

# Hijack, affecting Spybot, etc.

## 4 posts in this topic

So despite my careful nature I've managed to get jacked. My about:blank now shows some stupid search page with a popup about spyware. Gee thanks. I went through your instructions for fixing hijacks, but am meeting some problems.

I dutifully ran Ad-Aware, which seemed to find and identify problems including a short list of potential browser hijackers. I elected to fix the problems, however it doesn't seem that it worked. I then downloaded SpywareGuard, SpywareBlaster, and IE-SpyAd from advice from someone I trust about this sort of thing. I also just threw on ZoneAlarm. Too late, I suppose. I'm also going to start using Mozilla, which is probably another too-little-too-late thing.

I installed all three, but problems arose during SpywareGuard. While running an update, it sat there for a while before giving up. Now when I access some programs (even setting my Mouse settings in control panel) and when my computer starts, I get a popup error message about SpywareGuard that says:

'Error Reading SpywareGuard Definitions! The file may be corrupt, or another program may have tampered with them.'

It advises me to run their LiveUpdate, but just starting the program tells me that it's missing definitions. I tried to run SpyBot S&D's update before scanning, but that halted saying 'Error retrieving update info file!' If I try to run a Search, it stops part-way through with a message in the results that says 'Error during check! Datei C:\WINNT\System32\drivers\etc\hosts kann nicht geoffnet werden. The process cannot access the file because it is being used by another process'. That sounds bad.

The noises my comp's making and the system resources that are being mysteriously used by explorer.exe constantly are making me think something's going on in the background that I don't like. I can't identify any active processes that are out of the ordinary.

So now half my anti-spyware is busted, my browser's jacked, and I have no idea how to fix this. My log from running HijackThis is at the bottom of this post. Please, someone help me out.

- Parhaum

Edit: I tried fixing the Search Bar R1 things in HijackThis, but they came back.

Edit: I also found that the listing of C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html contains the search page I've been redirected to. I deleted it, but I'm afraid to restart my computer or anything for fear of it coming back.

Logfile of HijackThis v1.97.7

Scan saved at 1:09:17 AM, on 6/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

c:\apache\Apache.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\apache\Apache.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\apache\mysql\bin\mysqld-nt.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

c:\apache\APACHE.EXE

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\GWMDMMSG.exe

c:\apache\APACHE.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\wt\updater\wcmdmgr.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\DAP\DAP.EXE

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: (no name) - {F0586DF3-3859-43FC-B08A-661D18A6FD8F} - C:\WINNT\System32\kldjip.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7792.4374421296

Edited by Dreamer

Bump... help?

##### Share on other sites

Hi Dreamer:

And then downloand hijack this software, run a scan and save and then post your hijackthis log to this forum...

I too have been hijacked. It is ugly out there. It may take several days of picking over your logs and followings steps from the people here to get it all out.

May the computer gods help us... This is a pain in the butt....

Best,

Gero

##### Share on other sites

I went through that and some of the other hijack-removal posts. I tried CoolWebShredder, which seems to have found 2 things. I've downloaded the Java JVM and am now using Mozilla, ran Hijack This to remove the sp.html garbage. I uninstalled SpywareGuard since it's error messages were driving me insane. I'm going to try to run the SpyBot update and scan, but I have a feeling it's still not going to function.

Edit: Ran Spybot, no updates found but no errors either. Ran a scan and got rid of Wild Tangent, whatever that is. Other than that, I'm not sure if everything's back to normal, but so far it seems ok. If anyone knows anything I may have missed, please let me know. Thanks.

I also checked and saw that sp.html (the 'Internet Explorer Search' hijacker) is still in my Local Settings/Temp folder, despite me telling HijackThis to fix that. Makes me think I'm not in the clear yet.

Oh and more fun, Notepad.exe now suddenly cannot be found for whatever reason.

Edited by Dreamer