Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP ME ASAP....its urgent


  • Please log in to reply
3 replies to this topic

#1 splackavellie_ca

splackavellie_ca

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 12 July 2005 - 12:02 PM

ok heres the deal....i got hijacked....i believe it was that spysheriff thing...anways i've browsed through the forums here and tried my best to fix it myself...still i try and use IE and nothing works...this isnt even my computer so im kinda paranoid,right now im using foxzilla and even that is slow and sluggishand the websites dont look right,when i try and click on a link and what not it doesnt takeme to the correct spot i always get a clicksearchclick.biz or clicksearchclick.com,or else i recieve a document contains no data message....any assistance would be appreciated...i've been doin this since midnight last night...lol.thanks

heres my recent log:



Logfile of HijackThis v1.99.1
Scan saved at 12:18:13 PM, on 7/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\msmsgr2.exe
C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SVCHOST.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\bleepYO~1.FUC\LOCALS~1\Temp\Rar$EX01.595\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {9E982292-DE02-45E5-BE10-E4C1ACCB8AC0} - C:\WINDOWS\System32\kkah.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SECURITY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110934391202
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O21 - SSODL: gxYogqsEgC - {ACA40AE5-060E-A04F-95D4-B9DA9FE80844} - C:\WINDOWS\System32\but.dll
O21 - SSODL: System - {0F5F1A38-8EC1-4080-992F-EE48418A8DAD} - vr_sys.dll (file missing)

BC AdBot (Login to Remove)

 


#2 splackavellie_ca

splackavellie_ca
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 12 July 2005 - 01:00 PM

can somebody help me soon..i gotta get this comp right away..its not mine...thanks again

#3 splackavellie_ca

splackavellie_ca
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 12 July 2005 - 01:01 PM

can somebody help me soon..i gotta get this comp right away..its not mine...thanks again

//Mod edit: Logs are analyzed on a first in, first worked basis.
It takes some time to accomplish this work. Please wait for a response before
posting again. All HJT Techs are volunteers.
Please be patient.

Edited by KoanYorel, 12 July 2005 - 04:46 PM.


#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 13 July 2005 - 02:09 AM

Hi,

Close all your running programs, run Hijackthis and place a check next to the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {9E982292-DE02-45E5-BE10-E4C1ACCB8AC0} - C:\WINDOWS\System32\kkah.dll (file missing)
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SECURITY.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O21 - SSODL: gxYogqsEgC - {ACA40AE5-060E-A04F-95D4-B9DA9FE80844} - C:\WINDOWS\System32\but.dll
O21 - SSODL: System - {0F5F1A38-8EC1-4080-992F-EE48418A8DAD} - vr_sys.dll (file missing)

close all your internet explorer windows and click fix in Hijackthis.

Next, locate the following files and delete them

Files:
C:\WINDOWS\System32\requester.10.exe
C:\WINDOWS\msmsgr2.exe
C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SVCHOST.EXE
C:\WINDOWS\System32\Services\{2808CC1B-6FC2-4154-8850-2C1A67A3F64F}\SECURITY.EXE
C:\winstall.exe
C:\WINDOWS\System32\symcsvc.exe



Now Download the following Anti-Spy , Cleanup!, CWshredder, Ad-aware, & Spy-Bot.
  • Updating Ad-aware:
    • Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:Double-Click the Desktop Icon > Click 'Update' > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'
  • Updating Anti-Spy:Double-Click the Desktop Icon > Click 'File' > Click 'Check For Updates'
Please Copy My Notes into Notepad and save to your desktop. You need to be in safe mode to remove a lot of the junk.


Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net.



Cleanup!
  • Make sure you have all your Internet browsers closed.
  • Click 'Cleanup!'
  • Close Cleanup! once it's finished
CWshredder
  • Double-Click CWShredder and click 'Fix'
  • Close CWShredder
Ad-Aware
  • Open Ad-aware and make the following changes to the settings in Ad-aware.
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:check: 'Unload recognized processes during scanning.'
  • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine: Check: 'Let Windows remove files in use at next reboot.' Click 'Proceed'
[/list]
  • Click 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Customize'
  • Make sure the following are all are Checked:
  • 'Scan Within Archives'
  • 'Scan Active Processes'
  • 'Scan Registry'
  • 'Deep Scan Registry'
  • 'Scan My IE Favorites For Banned URL'S
  • 'Scan My Hosts File'Click 'Proceed'
[/list][/list][/list]
  • Now click 'Next' to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'
  • Close Out Ad-Aware once the scan is complete.
[/list]Anti-Spy
  • Open Anti-Spy and make the following changes.
  • Click 'Spyware Scan'
  • Located on the Top Right
[*]Click 'Scan Options'
  • Select 'Full System Scan'
  • Now Click 'Run Scan Now'
[/list]
  • Once the Scan is complete select remove from the drop-down menu.
  • Close Out Anti-Spy
Spy-Bot
  • Double-Click Spybot
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all findings are checked and click 'Fix Selected Problems'
  • Close SpyBot and Reboot!
[/list]Once complete post a fresh log in your thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users