Jump to content


Photo

please help, it keeps coming back...


  • Please log in to reply
11 replies to this topic

#1 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 07:09 PM

Hi,

I have browser hijacking spyware that keeps coming back. I have it controlled with Spy Sweeper but can't get rid of it. I also have used HijackThis, Spybot, CWShredder, etc.

Also, I have un-installed MS Java VM, installed Sun Java VM, installed the IE-SPYADS script, etc.

Can anyone help me?

Thanks!
Ken

Edited by kcates, 24 June 2004 - 07:12 PM.


#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 June 2004 - 07:11 PM

Can you please post a Hijack this log?
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 07:23 PM

Thanks for responding!

Here is the log.

Logfile of HijackThis v1.97.7
Scan saved at 8:21:21 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
d:\Program Files\qbooks\online backup\OLRegCap.EXE
D:\Program Files\qbooks\online backup\OLlaunch.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
D:\Program Files\qbooks\online backup\OLSysTray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Ken\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B423C11-D1C6-435D-99CA-8CEFC8D4B5AE} - D:\WINDOWS\System32\gnemgf.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: QuickBooks Onilne Backup TaskBar Icon.LNK = D:\Program Files\qbooks\online backup\OLSysTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#4 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 07:50 PM

A few more things...

It writes a .dll file to the windows\system32 directory with a random name. This becomes the BHO.

Often when I start Outlook, I'll get a "virtual memory low" message, which I never got before. That's sometimes a good indication that it has returned.

ClixGalore was in the dangerous sites list, but unfortunately I use that for my online store and need to access it. My impression is that with the other precautions I've taken, it should be okay to access that site.

Ken

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 June 2004 - 07:56 PM

Hello. Start up Hijack This and tick the boxes next to these items.



R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Ken\LOCALS~1\Temp\sp.html

O2 - BHO: (no name) - {7B423C11-D1C6-435D-99CA-8CEFC8D4B5AE} - D:\WINDOWS\System32\gnemgf.dll (file missing)


Then close ALL windows and hit fix.

Goto Start - > Run - > Type in Local Settings
Then double click the Temp Folder. Delete everything there. Keep deleting until you narrow down to the files you can't delete. Remember have all windows closed when you do this part especially. Now restart your computer and post a new log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 07:58 PM

and I deleted all my .tmp files...

#7 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 08:18 PM

Here is latest log. It's looks clean, but I've been here many times before...

Logfile of HijackThis v1.97.7
Scan saved at 9:14:44 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
d:\Program Files\qbooks\online backup\OLRegCap.EXE
D:\Program Files\qbooks\online backup\OLlaunch.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
D:\Program Files\qbooks\online backup\OLSysTray.exe
D:\Documents and Settings\Ken\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: QuickBooks Onilne Backup TaskBar Icon.LNK = D:\Program Files\qbooks\online backup\OLSysTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 June 2004 - 08:22 PM

Tick the box next to this and your done!

R3 - Default URLSearchHook is missing

Now close all windows and hit fix checked. Reboot. If any problems persist call us? lol :-p
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 08:57 PM

Well, it looks good so far... :-)

A couple of things:

1. After rebooting I ran Spy Sweeper and it found CoolWWW and CWS-AboutBlank (which I removed). This has happened many times before while I was trying to get rid the other thing. Is Spy Sweeper just confused?

2. I loaded SpywareBlaster yesterday from several sites and installed it, but when executed, I get a message saying "this program is corrupted or there is a disk error, reinstall it" or something like that. I loaded it from several sites and the same thing happens. Is this worth pursuing?

THANKS A MILLION FOR YOUR HELP!!!

Ken

#10 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 June 2004 - 09:00 PM

1) Im not sure ive never used Spy Sweeper, Maybe the objects keep coming back. They probably have support forums you may ask on.

2) This is definetely a good tool to persue. Have you uninstalled it completely. Then try reinstalling.


DuckY :D
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#11 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 24 June 2004 - 09:58 PM

I can't believe it, but it's back... I went through your instructions again to make sure I followed them to the letter. It looks clean for the moment. Any ideas?

I also un-installed SpywareBlaster and downloaded it again, but I'm still getting this message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." Is it possible that the spyware is fighting for it's life? :-)

#12 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 June 2004 - 10:24 PM

Could be. Could also be a virus. Not that im saying it is but safe to do it. http://housecall.trendmicro.com/

Thats a link to an updated virus scan. As to say keep running About:Buster until there are no more Removed!
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button