Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked homepage (t.swapx.cc/h.php?aid=20009)


  • This topic is locked This topic is locked
11 replies to this topic

#1 Trueth

Trueth

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 08 November 2004 - 02:10 AM

Logfile of HijackThis v1.98.2
Scan saved at 12:58:01 AM, on 11/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\liosuxr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\wanmpsvc.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [ovpgldivlma] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S3.tmp"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://jobs.tntlogistics.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01d2af68c4a3ab...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096334461949
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: 3dhgmuew13wwi.dll

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 08 November 2004 - 03:16 PM

Hi, Trueth, I'm checking your log now. Be back with you asap. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 09 November 2004 - 08:12 PM

I should say, "we" are checking your log, Trueth. I've got a custom fix prepared for you, and it's being double-checked. The infection you have on the PC isn't exactly an easy fix. It won't be much longer. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 09 November 2004 - 10:06 PM

Hi, Trueth I have some recommendations.

Regarding the HijackThis: C:\unzipped\hijackthis[1]\HijackThis.exe should look like this C:\HJT\HijackThis.exe on your log. To make it that way: click Start-->My Computer-->Hard Disk Drive C:\-->File-->New-->Folder and name it HJT. From where it is now: Move To-->Browse-->select C:\HJT. In this way the program will save backups automatically to that folder and we may need them.

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Sceenshots are included to help you.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


You will need several tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, shown after extraction. Please use these links to download them:You will also need to install Ad-Aware SE Personal 1.05 onto your PC. It will install normally, and please read Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

Extract Killbox, open folder & choose extract to your desktop. "Finish". Open the folder and then double-click on Killbox.exe to start the program.

Fill in the field with this:C:\WINDOWS\System32\3dhgmuew13wwi.dll and select "delete on reboot". Click red circle to the right of the field.
(The file name will be confirmed in blue.) click Yes to "process & Reboot now?".
Reboot will occur.

Start-->Add or Remove Programs-->Uninstall (if found) any instances of:Ebates or NaviSearch. Please check for a program involving Iomega, also. One entry in your log shows an unrecognized .exe file and if you use an Iomega device or program it's probably OK. If not, or you used to, consider it for uninstalling. I will also mention it later as optional.

Set your PC to: show hidden files. Additional information here.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [ovpgldivlma] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01d2af68c4a3ab...ip/RdxIE601.cab netster
O20 - AppInit_DLLs: 3dhgmuew13wwi.dll
Then consider these files for deletion also. If you do not recognize them as ones you use & need, there is reason to eliminate them. You can re-install the ones starting with O16 by visiting the websites (http://etc.com) again if you like.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab (if you use roadrunner high speed online. leave in)
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://jobs.tntlogistics.com/CFIDE/classes/CFJava.cab (Directory Listing Denied. This Virtual Directory does not allow contents to be listed.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present fix unless you used Spybot's IE Tweaks & locked your start page.

When you're sure that files marked for deletion are correct, click the Fix button.

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete the main folders C:\WINDOWS or C:\Program Files. We just looking for sub-folders or individual files here. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->checkmark search "system folders", "hidden files & folders", "sub-folders" & perhaps "case sensitive" if you like.
c:\counter.cab
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\System32\liosuxr.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe (the optional one I mentioned. Keep it if you need it for any reason)

Delete Temp Files
To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files.

Reboot your computer to go back to normal mode.

Extract CWShredder 1.59.1, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and doulble-click on the cwshredder.exe Select Fix

Reboot at least once, perhaps a couple of times to be sure it worked.

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Delete Temporary Internet Files
Now I want you to Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Extract Hoster, open folder and choose to extract to your desktop. "Finish". Open the folder and double-click on the hoster file. With the program open, click "restore original hosts".

Empty the recycle bin.
You may choose to move the programs on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean.
Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had, and let us know if its working better. Some additional options may exist)

I have confidence in your success, no problem posting again if you're unsure though. Sorry it too me so long
patiently patrolling, plenty of persisant pests n' problems ...

#5 Trueth

Trueth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 November 2004 - 03:52 AM

For the love all that is good i am forever grateful to you and your coalition of the willing :thumbsup: Everything seems fine but then again it is like 4 in the morning, I'll post another reply in the next 24hrs and let you know the news good or bad. Thanks again

#6 Trueth

Trueth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 November 2004 - 03:54 AM

:thumbsup: Forgot log

Logfile of HijackThis v1.98.2
Scan saved at 3:47:14 AM, on 11/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S3.tmp"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096334461949
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F05FD21-F250-48B2-A069-4BE27AD912F1}: NameServer = 198.81.17.4

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 11 November 2004 - 06:22 AM

Well we all are happy to help, Trueth. :thumbsup: It does take some time, and your 24 hour test drive is exactly the thing I'd do, too.

I did notice that you have a new entry,
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
and it indicates you've added a scan. In the interest of general knowledge, and since I'm suspicious of anti-spyware products that aren't the ones experience has taught me work well, I visited the site to make up my own mind about it. I also checked this site, which I visit often "in the line of duty". The Rogue List. You see, lottsa folks prey on the users, by either duping them with what are called "false positives" or blatently loading problems with the freebie. The quote below is from a ways down the long page.

If your PC is already infested with spyware and adware, resist the temptation to succumb to impulse buys of anti-spyware products that you see on the Net, esp. those included in the "rogue/suspect" list on this page or advertised on Google. Instead, you can get help online from a corps of savvy volunteers who specialize in busting spyware.

To get help with a spyware infestation:
1. Clean your PC as best you can
Download and run one (or both) of these free anti-spyware scanners and remove whatever spyware and adware it finds.
Ad-aware Personal Edition
Spybot Search & Destroy

You should also scan and clean your computer with whatever anti-virus program you happen to have installed on your computer. If you don't have an anti-virus program, you can scan your computer with one of these online anti-virus scanners:
BitDefender ScanOnline
Command on Demand
eTrust AntiVirus Web Scanner
McAfee FreeScan
Panda ActiveScan
RAV AntiVirus Scan Online
Trend Micro HouseCall

... or download and run one of these free standalone virus removal tools:
avast! Virus Cleaner
McAfee AVERT Stinger
Panda PQRemove

2.   
Visit a spyware removal forum

You've done well to find us, as we are not on the particular list that follows what I quoted. We fit the description, though. (pleas click on the numbers below, then read the comments)

At my visit, I didn't see anything that says: "We are copycats of others, and won't tell you" or "Load this stuff and we'll have fun with your PC". Of course I never do. I do sniff for clues. I decided to shut off all my system programs except one, and downloaded the free one I think you have. Closed my browser, and installed it. I did not run my other programs first, Spybot S&D, Ad-Aware, A2, or Pest Patrol I won in a contest here. I'd run them within the last 24 hours, though. I do that.
1. It found a "named infection" early on in a scan that told me about 15,000 things had been tested. Ad-Aware typically tests 70-80,000 objects in a scan. Bit Defender has done 240,000 at one time. The scan did take longer than I'm used to. I haven't heard of "spyware trusted zone" infection.
2. When it was done, the 13 infections found are presented to me in a manner that is called a "goad", meaning I'm stirred on towards some resolution. I resist this method, basically because I doubt I have 13 infections all of a sudden, that nothing else has identified. So I choose the button marked:"No, I would like to stay infected". Funny button.
3. This immediately popped up. I was expecting it, as the Spybot S&D tea timer is my anti-malware program that I leave in the tray most all the time. It shows that this program wants to have a "startup listing". Well, in installation of this and most of my programs installed, I do not want this. I want only Spybot S&D Tea Timer, AVG, and right now, Kerio Firewall to startup. In fact I opted only to have this program appear in my "Start Menu" which is a horse-of-a-different-color. So, I "denied it the right"
4. This program also automatically gives me a desktop icon, which at installation I always automatically prevent IF I CAN. If not, I delete it automatically, since I am habitually using my Start-->"whatever program I want". It takes me one more click to open any program I desire this way. I also avoid, as I mentioned, a lot of unnecessary drain on my memory resources at bootup and constantly there-after by disciplining myself to not have the "tray icon short-cuts". IMO, lazy short-cuts are to be avoided. They are for specific purposes, also previously mentioned.

5. So, my next move was to run a program I trust. New trial programs of many kinds I do not trust to work well, even if they are good programs, until I test them on my PC with those I run. It found a new "data miner" cookie. I might have been there from yesterday's "work", but then again, possibly it was new ... today. With a single install to wonder about. I fixed it.
6. Netshelter.net, new bad guy in my mind. From where? More research required...

7. My next move? Start-->Control Panel-->Add/Remove Programs. Really, a true test of any software product involves how well it uninstalls, too. I often load, uninstall, and re-load a program to see how it reacts.
8. I can say it did uninstall, and the desktop icon disappeared. Without a registry scan I'm not sure all traces are gone, but it did OK at basic uninstall.

HJT could be used to see if the 04 entry is gone.

Which leads me to what is a standard "after the cleaning" set of recommendations.

In your case, even though the program might be legitimate, I planned on guiding you towards better ones, so if you would consider:
  • Uninstalling Spyware Vanisher
  • Running HJT once again. Check for the O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan and have HJT delete it (only). I do not think any folder remains in your C:\Program Files after uninstall, based on my experience with it.
  • Posting another log
  • Holding off for a bit before you surf extensively until we see "its all good"
  • Then we can do a few more important things to make your future more secure.

Edited by phawgg, 11 November 2004 - 06:23 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#8 Trueth

Trueth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 11 November 2004 - 07:26 PM

My bad, the job has me super busy will follow your directions tommorow more likely in the early morning

#9 Trueth

Trueth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 12 November 2004 - 12:55 AM

New log
Logfile of HijackThis v1.98.2
Scan saved at 12:54:18 AM, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S3.tmp"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096334461949
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/activex/HMAtchmt.ocx

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:25 AM

Posted 16 November 2004 - 01:17 AM

Please be patient, Phawgg will get back to you when he is available

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 16 November 2004 - 05:44 AM

My apologies, Trueth, I musta simply overlooked your Clean Log! in the my busy last few days. Normally I recommend that you disable & re-enable your System Restore to set a new restore point. This insures that there are no infected files found in a restore point left over from what we have just cleaned. Additional information & instructions are here. It has been a few days so if you feel there is a chance things have changed, please post another log to be certain. Otherwise go ahead and do that. If you do not set that new point, be sure you do not restore your system any further back than the calendar date November 12, 2004. Additional information & instuctions are here. Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium). Click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently
  • An excellent free program is AVG, if you need an option. This program can be set to automatically scan & either auto-update or
    you may choose to do that yourself. Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall
  • Excellent free programs available include:
  • Sygate
  • Kerio
  • (others are also available)
  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations
  • (fully understanding it's operation may require some thought & a little practice, but it help greatly to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently
  • SP2 is the most recent Service Pack available.
  • It provides all the updates issued since Windows XP was first released, including SP1 and all updates added to it
  • More updates have already been to it, so to remain current in regards to security issues in particular, you should consider installing it.
  • Information is more readily available now that involves any possible conflicts with your present software.
  • You can read up on that information here.
5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available here.
7. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently
  • Consider using Firefox as an alternative to IE for fundamental security reasons.
  • You can have both easily. Doing so will provide you with several benefits and options.
  • Other alternative browsers are also available at no charge
  • They do not have inherent vulnerabilities to the extent that IE does.
  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
All of these recommendations will provide a valuable service to you, and no conflicts exist when operating them together on your PC [winXP]
Please enact them for your own sake at that of the Internet itself.

9. Use BleepingComputer Tutorials & Resources Frequently
  • While cleaning your PC important tutorials were offered to explain what was being done.
  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.
  • There is always room for improvement when using a personal computer.
  • Resources are available here and improving all the time. Some that deal with these recommendations include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet

I'm glad we could be of assistance to you, and thank you for cooperating so well.
patiently patrolling, plenty of persisant pests n' problems ...

#12 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:25 PM

Posted 31 December 2004 - 06:35 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users