Jump to content


Hijack, affecting Spybot, etc.

  • Please log in to reply
3 replies to this topic

#1 Dreamer



  • Full Member
  • Pip
  • 14 posts

Posted 18 June 2004 - 12:15 AM

So despite my careful nature I've managed to get jacked. My about:blank now shows some stupid search page with a popup about spyware. Gee thanks. I went through your instructions for fixing hijacks, but am meeting some problems.

I dutifully ran Ad-Aware, which seemed to find and identify problems including a short list of potential browser hijackers. I elected to fix the problems, however it doesn't seem that it worked. I then downloaded SpywareGuard, SpywareBlaster, and IE-SpyAd from advice from someone I trust about this sort of thing. I also just threw on ZoneAlarm. Too late, I suppose. I'm also going to start using Mozilla, which is probably another too-little-too-late thing.

I installed all three, but problems arose during SpywareGuard. While running an update, it sat there for a while before giving up. Now when I access some programs (even setting my Mouse settings in control panel) and when my computer starts, I get a popup error message about SpywareGuard that says:

'Error Reading SpywareGuard Definitions! The file may be corrupt, or another program may have tampered with them.'

It advises me to run their LiveUpdate, but just starting the program tells me that it's missing definitions. I tried to run SpyBot S&D's update before scanning, but that halted saying 'Error retrieving update info file!' If I try to run a Search, it stops part-way through with a message in the results that says 'Error during check! Datei C:\WINNT\System32\drivers\etc\hosts kann nicht geoffnet werden. The process cannot access the file because it is being used by another process'. That sounds bad.

The noises my comp's making and the system resources that are being mysteriously used by explorer.exe constantly are making me think something's going on in the background that I don't like. I can't identify any active processes that are out of the ordinary.

So now half my anti-spyware is busted, my browser's jacked, and I have no idea how to fix this. My log from running HijackThis is at the bottom of this post. Please, someone help me out.
- Parhaum

Edit: I tried fixing the Search Bar R1 things in HijackThis, but they came back.
Edit: I also found that the listing of C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html contains the search page I've been redirected to. I deleted it, but I'm afraid to restart my computer or anything for fear of it coming back.

Logfile of HijackThis v1.97.7
Scan saved at 1:09:17 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Dreamer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F0586DF3-3859-43FC-B08A-661D18A6FD8F} - C:\WINNT\System32\kldjip.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7792.4374421296
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by Dreamer, 18 June 2004 - 12:45 AM.

#2 Dreamer



  • Full Member
  • Pip
  • 14 posts

Posted 18 June 2004 - 07:22 AM

Bump... help?

#3 madgeronimo



  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 10:53 AM

Hi Dreamer:

Read this: http://www.spywarein...p?showtopic=227

And then downloand hijack this software, run a scan and save and then post your hijackthis log to this forum...

I too have been hijacked. It is ugly out there. It may take several days of picking over your logs and followings steps from the people here to get it all out.

May the computer gods help us... This is a pain in the butt....


#4 Dreamer



  • Full Member
  • Pip
  • 14 posts

Posted 18 June 2004 - 11:31 AM

I went through that and some of the other hijack-removal posts. I tried CoolWebShredder, which seems to have found 2 things. I've downloaded the Java JVM and am now using Mozilla, ran Hijack This to remove the sp.html garbage. I uninstalled SpywareGuard since it's error messages were driving me insane. I'm going to try to run the SpyBot update and scan, but I have a feeling it's still not going to function.

Edit: Ran Spybot, no updates found but no errors either. Ran a scan and got rid of Wild Tangent, whatever that is. Other than that, I'm not sure if everything's back to normal, but so far it seems ok. If anyone knows anything I may have missed, please let me know. Thanks.

I also checked and saw that sp.html (the 'Internet Explorer Search' hijacker) is still in my Local Settings/Temp folder, despite me telling HijackThis to fix that. Makes me think I'm not in the clear yet.

Oh and more fun, Notepad.exe now suddenly cannot be found for whatever reason.

Edited by Dreamer, 18 June 2004 - 04:17 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button