• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
kcates

please help, it keeps coming back...

12 posts in this topic

Hi,

 

I have browser hijacking spyware that keeps coming back. I have it controlled with Spy Sweeper but can't get rid of it. I also have used HijackThis, Spybot, CWShredder, etc.

 

Also, I have un-installed MS Java VM, installed Sun Java VM, installed the IE-SPYADS script, etc.

 

Can anyone help me?

 

Thanks!

Ken

Edited by kcates

Share this post


Link to post
Share on other sites

Thanks for responding!

 

Here is the log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:21:21 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

d:\Program Files\qbooks\online backup\OLRegCap.EXE

D:\Program Files\qbooks\online backup\OLlaunch.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\MsPMSPSv.exe

D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\qbooks\online backup\OLSysTray.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\Ken\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7B423C11-D1C6-435D-99CA-8CEFC8D4B5AE} - D:\WINDOWS\System32\gnemgf.dll (file missing)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [spySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Startup: QuickBooks Onilne Backup TaskBar Icon.LNK = D:\Program Files\qbooks\online backup\OLSysTray.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

Share this post


Link to post
Share on other sites

A few more things...

 

It writes a .dll file to the windows\system32 directory with a random name. This becomes the BHO.

 

Often when I start Outlook, I'll get a "virtual memory low" message, which I never got before. That's sometimes a good indication that it has returned.

 

ClixGalore was in the dangerous sites list, but unfortunately I use that for my online store and need to access it. My impression is that with the other precautions I've taken, it should be okay to access that site.

 

Ken

Share this post


Link to post
Share on other sites

Hello. Start up Hijack This and tick the boxes next to these items.

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html

 

O2 - BHO: (no name) - {7B423C11-D1C6-435D-99CA-8CEFC8D4B5AE} - D:\WINDOWS\System32\gnemgf.dll (file missing)

 

Then close ALL windows and hit fix.

 

Goto Start - > Run - > Type in Local Settings

Then double click the Temp Folder. Delete everything there. Keep deleting until you narrow down to the files you can't delete. Remember have all windows closed when you do this part especially. Now restart your computer and post a new log.

Share this post


Link to post
Share on other sites

Here is latest log. It's looks clean, but I've been here many times before...

 

Logfile of HijackThis v1.97.7

Scan saved at 9:14:44 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

d:\Program Files\qbooks\online backup\OLRegCap.EXE

D:\Program Files\qbooks\online backup\OLlaunch.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\MsPMSPSv.exe

D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\qbooks\online backup\OLSysTray.exe

D:\Documents and Settings\Ken\Desktop\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [spySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Startup: QuickBooks Onilne Backup TaskBar Icon.LNK = D:\Program Files\qbooks\online backup\OLSysTray.exe

O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

Share this post


Link to post
Share on other sites

Tick the box next to this and your done!

 

R3 - Default URLSearchHook is missing

 

Now close all windows and hit fix checked. Reboot. If any problems persist call us? lol :-p

Share this post


Link to post
Share on other sites

Well, it looks good so far... :-)

 

A couple of things:

 

1. After rebooting I ran Spy Sweeper and it found CoolWWW and CWS-AboutBlank (which I removed). This has happened many times before while I was trying to get rid the other thing. Is Spy Sweeper just confused?

 

2. I loaded SpywareBlaster yesterday from several sites and installed it, but when executed, I get a message saying "this program is corrupted or there is a disk error, reinstall it" or something like that. I loaded it from several sites and the same thing happens. Is this worth pursuing?

 

THANKS A MILLION FOR YOUR HELP!!!

 

Ken

Share this post


Link to post
Share on other sites

1) Im not sure ive never used Spy Sweeper, Maybe the objects keep coming back. They probably have support forums you may ask on.

 

2) This is definetely a good tool to persue. Have you uninstalled it completely. Then try reinstalling.

 

 

DuckY :D

Share this post


Link to post
Share on other sites

I can't believe it, but it's back... I went through your instructions again to make sure I followed them to the letter. It looks clean for the moment. Any ideas?

 

I also un-installed SpywareBlaster and downloaded it again, but I'm still getting this message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." Is it possible that the spyware is fighting for it's life? :-)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0