Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log: wray


  • Please log in to reply
3 replies to this topic

#1 wray

wray

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 25 June 2005 - 06:13 PM

Hi, I'm having trouble getting rid of some sort of spyware that keeps changing my homepage to clicksearchclick.com/somethingsomething and replaces some of the links on websites I visit with clicksearchclick links. I don't know much about computers but I've run Ad-Aware, Spybot S&D, CCleaner, McAfee AVERT Stinger and I think I also ran CWShredder. I have difficulty accessing online virus scans because half the links change to clicksearchclick links!!

Anyway here is my HJT log. I'd be very grateful to anyone who could help, or at least tell me if this spyware could endanger anything on my computer! :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 8:41:16 AM, on 6/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\wdfmgr.exe
F:\WINDOWS\System32\sistray.EXE
F:\WINDOWS\System32\keyhook.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Pogmrc\Ctrjnhs.exe
F:\WINDOWS\System\svchost.exe
F:\WINDOWS\System32\Services\{2EF46C24-6D6D-481C-BC81-9BCFF3CD1D0A}\SVCHOST.EXE
F:\WINDOWS\System32\msxct.exe
F:\PROGRA~1\COMMON~1\kquz\kquzm.exe
F:\WINDOWS\System32\??xplore.exe
F:\Program Files\coes\suer.exe
F:\PROGRA~1\COMMON~1\kquz\kquza.exe
F:\WINDOWS\System32\win32.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F2 - REG:system.ini: UserInit=f:\windows\system32\userinit.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A9929AC-CD38-B1E1-61D7-B82E337B95BD} - F:\WINDOWS\System32\fcozfulz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spyware Tools\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] F:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] F:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] F:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAZAA] "F:\Program Files\Kazaa Lite K++\kpp.exe" "F:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [msnsyslog] F:\WINDOWS\msnappm.exe
O4 - HKLM\..\Run: [yAadhCvG] F:\WINDOWS\hhbblj.exe
O4 - HKLM\..\Run: [yAadh$/E%)fF:\Program Files\ISTsvc\istsvc.exe] F:\WINDOWS\hhbblj.exe
O4 - HKLM\..\Run: [yAadh$fNbF:\Program Files\ISTsvc\istsvc.exe] F:\WINDOWS\hhbblj.exe
O4 - HKLM\..\Run: [Dpjfpa] C:\Program Files\Pogmrc\Ctrjnhs.exe
O4 - HKLM\..\Run: [bO#y-] F:\WINDOWS\hhbblj.exe
O4 - HKLM\..\Run: [bO/E%)fNbF:\Program Files\ISTsvc\istsvc.exe] F:\WINDOWS\hhbblj.exe
O4 - HKLM\..\Run: [System] F:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Service Host] F:\WINDOWS\System32\Services\{2EF46C24-6D6D-481C-BC81-9BCFF3CD1D0A}\SVCHOST.EXE
O4 - HKLM\..\Run: [Service Host] F:\WINDOWS\System32\Services\{2EF46C24-6D6D-481C-BC81-9BCFF3CD1D0A}\SVCHOST.EXE
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [bv9d8k3g] F:\WINDOWS\System32\bv9d8k3g.exe
O4 - HKLM\..\Run: [2Fnf32h] w95ecab.exe
O4 - HKLM\..\Run: [Disk Keeper] F:\WINDOWS\System32\Services\{2EF46C24-6D6D-481C-BC81-9BCFF3CD1D0A}\SECURITY.EXE
O4 - HKCU\..\Run: [pmrqzgf] F:\WINDOWS\pmrqzgf.exe
O4 - HKCU\..\Run: [ClockSync] "F:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [kquz] F:\PROGRA~1\COMMON~1\kquz\kquzm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [wupd] F:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Jo4pRSNpS] untninst.exe
O4 - HKCU\..\Run: [Ilqo] F:\WINDOWS\System32\??xplore.exe
O4 - HKCU\..\Run: [Eost] F:\Program Files\coes\suer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @F:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @F:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c18.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: style2 - F:\WINDOWS\q95859_disk.dll

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2005 - 09:00 PM

Hi Wray and Welcome!

Can you verify that this file exist in this folder

F:\WINDOWS\explorer.exe

Post back and let me know if you locate it!

#3 wray

wray
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 27 June 2005 - 07:44 PM

Hey Crete thanks so much for replying!
Yes there's an explorer.exe in F:\WINDOWS\

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2005 - 09:25 PM

OK,Good Deal!!

You have quite a mess in there and its gonna take a few passes,so get them fingers and eyes ready!

Please Right Click the Desktop and Select New>>Folder>>Name it whatever you like!

Download all Programs to this Folder!

Please Copy these Instructions to Notepad and Save them to your Desktop,You must not be connected to the Internet once you are in Safe Mode!

Use this Link from Calamity Jane and get all the Programs in the link Installed just as she Instructs!
http://forums.subratam.org/index.php?showtopic=3466

I also want you to download a few other programs to assist us!

Attached to the Post is a reg file,please download to the Desktop and wait until I ask to run it please!

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop but dont run it yet!


Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Download and Install CleanUp! 4.0
http://downloads.stevengould.org/cleanup/CleanUp40.exe

Assure that Stinger and Ad Aware are current on updates!

Please follow these instructions to configure Ad-Aware SE:

1. Click on the General button on the left hand side.

1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Automatically save logfile
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)

2. Next click on the Advanced button on the left hand side.

1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include additional object information
2. Include negligible objects information
3. Include environment information
4. Include Alternate data stream details in log file

3. Next click on the Tweak button on the left hand side.

1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include basic Ad-Aware settings in logfile
2. Include additional Ad-Aware settings in logfile

2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Unload recognized processes & modules during scan
2. Scan registry for all users instead of current user only


3. Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.


1. Always try to unload modules before deletion

2. During removal, unload Explorer and IE if necessary

3. Let Windows remove files in use at next reboot

4. Delete quarantined objects after restoring


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Disconnect the line from the PC that connects you to the Internet!

Go ahead and Open Kaspersky and Ewido but Dont Run them or Minimize them!!

Right Click the Task,Bar near the clock and Select Task Manager

Now remember when you end Explorer.exe,the TaskBar and the Desktop are going to Disappear!!

So locate the Processes Tab and go through the list(Click Image Name to Alphabetize the list) Locate these and if they exist,Right Click or Highlight and Select "End Process"!!

Ctrjnhs.exe
msxct.exe
kquzm.exe
kquza.exe
win32.exe
SVCHOST.EXE<< Only if its in Capital letters!
Explorer.exe<< All Instances


Now you should just have Kaspersky,Ewido,Task Manager and this Notepad page on the Screen in front of you!

Scan the PC with Kaspersky and Delete all it Finds and Close it out!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Close out Ewido!

In the Task Manager>> Click File>> Click New Task (Run...)>> Copy&Paste the below bold text and Click OK!

F:\WINDOWS\explorer.exe

Now Open CleanUp!,Stinger,Ad Aware and Microsoft AntiSpyware!

Kill Explorer again and Scan with all programs and Delete all they Find

Close out each program as it finishes!

Activate Explorer again just as before and when you desktop returns,Enter your control panel.

If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

Then right click[/B] on your default connection[/B], usually local area connection for cable and dsl, and left click on properties[/B].

Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Make sure the radio dial has the Green Dot in it!!

Click OK and then OK again and Close out the Control Panel!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O17 - HKLM\System\CCS\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{547FCD8C-85FA-46FE-B08E-E92952A2B900}: NameServer = 69.50.184.84,195.225.176.37

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 69.50.184.84
IpDns2Address = 195.225.176.37
IpNameAssign = 2


Close Notepad and be sure to Save your changes when prompted!!!

Now,Double Click Styles2.reg and allow it to merge into the registry!

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!

Restart the PC in Normal Mode and Click Start>>Run>>Type in CMD and Click OK!

At the Command Prompt Window type in cd\ and hit Enter

Now type in ipconfig /flushdns and hit Enter

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Download RegScrubXP v.3.25
http://www.majorgeeks.com/download2048.html

Now locate and open RegScrubXP and Click "RegScrubXP finds Problems"

Let it scan the System and when it completes Click "Select all Problems" and "Fix Selected Problems"

Once all is completed,Scan the PC with HijackThis and Post that log along with the Reports from Ewido and Panda!

Attached Files


Edited by Cretemonster, 27 June 2005 - 09:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users