Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help


  • Please log in to reply
41 replies to this topic

#1 antazn99

antazn99

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 15 March 2005 - 02:39 AM

this is my first time here but i was having some problems with spyware, primarily that of a hijacker. for certain site, like yahoo, when i first type and enter it into hte address bar, it loads for a second and then jumbs to a blank screen. it also happens to some other sites as well. i switched my broser to "Crazy browser" but it did little to help, here is my log so if any of you could review and tell me what to fix or who to fix my problem, i really much appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 6:16:49 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINDOWS\System32\mshta.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - (no file)
O2 - BHO: (no name) - {D265AC6F-F363-47ED-A206-75DF5C55A256} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\r1tq3hckyo.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetfih\services.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.hta
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\r1tq3hckyo.dll
O9 - Extra 'Tools' menuitem: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\r1tq3hckyo.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O18 - Filter: text/html - {7B313101-35A8-47FB-9467-7222C64A2C30} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {7B313101-35A8-47FB-9467-7222C64A2C30} - C:\WINDOWS\madopew.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

yeah, i know it a lot and i really appreciate anyone who can help me fix my computer.

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 15 March 2005 - 10:17 PM

I am reviewing your log, and will post back shortly
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 15 March 2005 - 11:46 PM

Hello Antazn99,

You have a CWS infection on your computer. We will soon have it removed. :thumbsup:

spydoctor is on the list of Rogue/Suspect spyware removers at
http://www.spywarewarrior.com/rogue_anti-spyware.htm
I recommend you remove it. If you want a spyware remover, then use both Spybot 1.3 and Adaware SE (both are free).

******************************************************

Go to Add/Remove Programs through Control Panel. Uninstall the following if they exist:
Spydoctor
Window Search
Win Tools
IEtools
IESearch
Windows Assistant
WindowsSA
Search Assistant
Windows Search Assistant


When uninstalling you will be prompted to insert a security code. Please do so and reboot when done.

If you do not see these programs in your Add/Remove programs then download and run both of these uninstallers:
http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

******************************************************
Download the latest version of Adaware SE here:
http://www.lavasoft.de/support/download/
Install it, but don't run it yet.
Click on the globe in the upper right hand corner to get the latest updates.

******************************************************

Please download the CWShredder 2.1 (Standalone version).
http://www.intermute.com/spysubtract/cwshr...r_download.html
(don't run it yet we will get to that in a minute)

******************************************************


Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)


******************************************************
Press CTRL+SHIFT+ESC , click on the Processes tab, right click the process to be killed and select End Task or End Process.
Search for C:\WINDOWS\ALCXMNTR.EXE and C:\Program Files\Spyware Doctor\spydoctor.exe and End Task.

******************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - (no file)
O2 - BHO: (no name) - {D265AC6F-F363-47ED-A206-75DF5C55A256} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\r1tq3hckyo.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetfih\services.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Microsoft Office.hta
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\r1tq3hckyo.dll
O9 - Extra 'Tools' menuitem: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\r1tq3hckyo.dll
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O18 - Filter: text/html - {7B313101-35A8-47FB-9467-7222C64A2C30} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {7B313101-35A8-47FB-9467-7222C64A2C30} - C:\WINDOWS\madopew.dll


Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\WINDOWS\madopew.dll <==file
C:\WINDOWS\system32\r1tq3hckyo.dll <==file
C:\WINDOWS\inetfih <==folder
C:\WINDOWS\ALCXMNTR.EXE <==file
C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll <==file
C:\PROGRA~1\COMMON~1\WinTools\ <==folder
Microsoft Office.hta <==file You will have to search for this file.
RealAudio.exe <==file You will have to search for this file.
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe <==file




******************************************************

Now, start APM.
In the upper window select explorer.exe

In the current log it is this file but it may have changed names.
It is currently :

C:\WINDOWS\madopew.dll <--This file name

Select Unload DLL, and click OK on the prompts that follow.

******************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run the CWShredder. Let it fix everything it finds.

Scan with AdAware SE to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Run Adaware SE with the following settings:


Configure Ad-aware

Click on the Gear-shaped icon at the top to open the Settings window.

All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.

General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)


Scanning Settings

Scan Within Archives

Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

Advanced Settings - Enable all four options under 'Log-file Detail level'

Tweak Settings

Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'

Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'

Click Proceed

Click on the 'Start' button in the lower right.

Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

Close Ad-aware


If Ad-Aware SE needs to reboot to finish cleaning, please let it.

******************************************************

Please run the following online scan and let it fix everything it finds:
TrendMicro http://housecall.trendmicro.com/housecall/start_corp.asp

******************************************************


Reboot and post a new Hijackthis log.

Edited by SifuMike, 15 March 2005 - 11:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 16 March 2005 - 03:37 AM

be for anything, i like to just say thank for taking the time to help me

i did what you said, but im still having my browser hijacked but the same thing. if it help the page it send me to it titled, "Search For . . ."

here is my log

Logfile of HijackThis v1.99.1
Scan saved at 12:20:08 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Owner\Desktop\spyware cleaners\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5E5EBAD1-C0F0-45F7-B64A-37EE2BBC2F48} - C:\WINDOWS\system32\mpc.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Filter: text/html - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll
O18 - Filter: text/plain - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

the "about:blank" from above i keep deleting but they keep coming back

i have a few quick question, in a fit of rage to fix my internet, i accidenty fixed everything hijackthis found. so far its okay nothing bad has happened. it fixed my problem for a few hours but then it came back

there is something that weird with my control panel, there is a "REALLY" large space of nothing there, it has not been a problem but should it be something that i should worried about

i cant seem to access the uninstallers, saying my security setting prevent it, using trendmicro causes a problem and closes the browser

i wasnt able to find madopew.dll, couldn't delete the se.dll, could find inetfih but i had a inf folder

thanks man, i really appreciate your help

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 16 March 2005 - 09:09 AM

i have a few quick question, in a fit of rage to fix my internet, i accidenty fixed everything hijackthis found. so far its okay nothing bad has happened. it fixed my problem for a few hours but then it came back

there is something that weird with my control panel, there is a "REALLY" large space of nothing there, it has not been a problem but should it be something that i should worried about

i cant seem to access the uninstallers, saying my security setting prevent it, using trendmicro causes a problem and closes the browser



HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself. 

HijackThis comes with a backup and restoral procedure in the event that you erroneously remove an entry that is actually legitimate.

If you start HijackThis and click on Config, and then the Backup button you will be presented with a screen that lists your previous changes.

You will have a listing of all the items that you had fixed previously and have the option of restoring them. Once you restore an item that is listed in this screen, upon scanning again with HijackThis, the entries will show up again.
Once you are finished restoring those items that were mistakenly fixed, you can close the program.

After you have everything back the way it was before, submit a new log.

i cant seem to access the uninstallers, saying my security setting prevent it, using trendmicro causes a problem and closes the browser



What security setting are you talking about? What is the exact messages are getting?

Did you do all the steps in the procedure? Or did you bypass some?
If you bypassed a step then it will not work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 16 March 2005 - 09:52 PM

here is my long,

Logfile of HijackThis v1.99.1
Scan saved at 6:45:27 PM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Owner\Desktop\spyware cleaners\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5E5EBAD1-C0F0-45F7-B64A-37EE2BBC2F48} - C:\WINDOWS\system32\mpc.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Filter: text/html - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll
O18 - Filter: text/plain - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

i clicked something that removed all the back-up data, however my computer seem to be running fine

in term of the exact message uninstallers, it says "Your current security setting do not allow this file to be downloaded"

i tried to carry on with out the doing the uninstallers and some files that you told me to fine, i skiped those files because i could not find them as stated above.

i hope i can still be helped

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 16 March 2005 - 10:21 PM

clicked something that removed all the back-up data, however my computer seem to be running fine


I need a better description of what you did. What is the "something that removed all the back up data"?

I asked you to restore all the items you previously deleted. I did not say to delete your backup data.


You said you "removed the back-up data" and that sounds like you delete it.

in term of the exact message uninstallers, it says "Your current security setting do not allow this file to be downloaded

"

If the error message 'Your current security setting do not allow this file to be downloaded' appears, your security settings may be set to 'High'. Click on the 'Tools' menu, choose 'Internet options', click on the 'Security' tab and move the security slider to 'Medium'

Edited by SifuMike, 16 March 2005 - 11:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 17 March 2005 - 03:30 PM

i guess i did delete the back-up record, the record you see there is what hijackthis found. for the uninstallers, i did change my setting to medium and i still could not download the programs

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 17 March 2005 - 04:53 PM

Hello Antazn99,

Since you have been deleting files without my knowledge and Hijackthis backups, I cannot guarentee that we can ever get your computer running normally again. :thumbsup: You may end up having to reinstall Windows, ie or reformating your disk. :flowers:

But I will try to help you. Maybe we can get it running normally again.


Do not bypass any of the steps or the fix will not work. Tell me if you run into a problem with any step.


Since you have Adaware SE, CWShredder 2.1 and APM on your computer, you will not have to download them again.


******************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5E5EBAD1-C0F0-45F7-B64A-37EE2BBC2F48} - C:\WINDOWS\system32\mpc.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll
O18 - Filter: text/plain - {FBAA1AC5-BF4A-4D83-BCC7-1C12F27E26B8} - C:\WINDOWS\system32\mpc.dll


******************************************************

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\system32\mpc.dll

Select Unload DLL, and click OK on the prompts that follow.

follow the same procedure for:

C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll

(note: the ~ means a truncated fiel name, so the file dircetory begin with locals)

If you do not find the above files, and unload the DLL's, then this infection will reinstall iteself, so do not bypass this step.

******************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run the CWShredder. Let it fix everything it finds.

Scan with AdAware SE to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Run Adaware SE with the following settings:


Configure Ad-aware

Click on the Gear-shaped icon at the top to open the Settings window.

All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.

General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)


Scanning Settings

Scan Within Archives

Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

Advanced Settings - Enable all four options under 'Log-file Detail level'

Tweak Settings

Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'

Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'

Click Proceed

Click on the 'Start' button in the lower right.

Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

Close Ad-aware


If Ad-Aware SE needs to reboot to finish cleaning, please let it.

******************************************************

Please run the following online scan and let it fix everything it finds:
TrendMicro http://housecall.trendmicro.com/housecall/start_corp.asp

******************************************************


Reboot and post a new Hijackthis log.

Edited by SifuMike, 18 March 2005 - 01:37 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2005 - 04:27 AM

before i follow the steps above, i cant seem to run the trendmicro, it keeps causing a problem that forces me to close my browser (you know that whole "encountered error, send report" thing), should i be concerned with it?

#11 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2005 - 04:30 AM

sorry, one more thing, do i need to turn off my system recovery, i read in other posts that if i dont turn that off, it will keep a back up file of the hijacker and reinstall it

and, uh, thanks so much for still helping me after such a dumb mistake with the hijackthis

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 18 March 2005 - 11:46 AM

i cant seem to run the trendmicro, it keeps causing a problem that forces me to close my browser (you know that whole "encountered error, send report" thing), should i be concerned with it?



You need to be able to run Trendmicro.

You need to enable "Signed ActiveX controls", "Download Signed ActiveX controls" and "Run ActiveX controls and Plugins" settings for ActiveX in order for ActiveX to operate smoothly.

Set your browser to Medium security setting for Internet by following the procedures below:

1.) In IE, go to Tools | Internet Options. Select the Security tab.
2.) Click on the Internet icon (the Globe icon)
3.) Set "Security level for this zone" to Medium.
Then click on the Custom Level button.
4.) Make sure that the following are enabled:
- Download signed ActiveX controls
- Run ActiveX controls and plug-ins (through Custom level button)

Let me know if that fixes the TrendMicro problem.

If not, I need more information on why it will not run.


do i need to turn off my system recovery, i read in other posts that if i dont turn that off, it will keep a back up file of the hijacker and reinstall it



Do NOT turn off you System Restore. Disabling system restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead computer thanks to having System Restore turned off.

After you PC is clean, and all programs are operating properly, then we will clean the Restore folder and set a new restore point.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2005 - 03:19 PM

i cant seem to get trendmicro to work, it keeps giving me the message that the browser has encountered an error and has to shut down.

do i need to worry about this

#14 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2005 - 03:30 PM

i was trying to follow this other list on how to get rid of hijackers from a while back and it gave instructions to turn off the system recovery and let the scanner to their thing but i cant seem to get back there and im not sure if i turned it back on or not, could you give me instructions to check if i did. as for trendmicro i changed the secrutiy setting but when i scan, it say that my browers has encountered an error and has to close

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:43 AM

Posted 18 March 2005 - 03:53 PM

cant seem to get trendmicro to work, it keeps giving me the message that the browser has encountered an error and has to shut down.


It should tell you what the error is.

I need to know if the error from IE or TrendMicro and what it said so I can solve it. Cut and paste the error so I can see it.

Can you tell me if you can reach any other online virus site without your browser closing?
There is a CWS malware that closes all anti-virus sites and browsers, and you may have that.
See if you can run Panda Online Virus Scan:
http://www.pandasoftware.com/activescan/co...n_principal.htm


Try this and let me know it it works:
Close all open Internet Browsers.
Double-click on the Internet Explorer icon on your desktop.
Click on Tools > Internet Options > General tab.
Under Temporary Internet Files, click on Delete Files.
Make sure to delete offline content as well.

It may be your firewall interfering with running TrendMicro.

Turn your firewall off and try to run TrendMicro. Let me know if it works.




not sure if i turned it back on or not, could you give me instructions to check if i did.


Disabling or enabling Windows XP System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Edited by SifuMike, 18 March 2005 - 11:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users