Go Back   AnandTech Forums > Software > Software for Windows

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· AMD Video Cards
· Nvidia
· Displays
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 07-06-2004, 12:45 PM   #1
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

See Section B, C, and D of the

Consolidated Security Thread

It now has the Guide to Malware removal and prevention. Please talk about malware and malware removal/prevention products there.
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-07-2004, 07:39 PM   #2
Teliasen
Senior Member
 
Join Date: May 2004
Posts: 502
Default How to remove Spyware/Adware/Hijacking

Schadenfroh's anti-spyware site

https://home.comcast.net/~quako33/spyware.htm
Teliasen is offline   Reply With Quote
Old 07-07-2004, 10:06 PM   #3
us3rnotfound
Diamond Member
 
us3rnotfound's Avatar
 
Join Date: Jun 2003
Posts: 5,229
Default RE: How to remove Spyware/Adware/Hijacking

k
us3rnotfound is offline   Reply With Quote
Old 07-08-2004, 04:24 AM   #4
MidasKnight
Diamond Member
 
MidasKnight's Avatar
 
Join Date: Apr 2004
Location: Oregon
Posts: 3,202
Default RE: How to remove Spyware/Adware/Hijacking

Thanks
__________________
Heat (since 1999)


STEELERS !
MidasKnight is offline   Reply With Quote
Old 07-08-2004, 07:54 AM   #5
ViciouS
Golden Member
 
Join Date: Apr 2001
Posts: 1,257
Default RE: How to remove Spyware/Adware/Hijacking

What do you guys think of Mozilla? Is it a better option than IE? Seems to have less holes, nice pop up blocker. Seems more secure, I've been getting less spyware with it.


Mozilla Firefox
ViciouS is offline   Reply With Quote
Old 07-08-2004, 09:09 AM   #6
Mem
Lifer
 
Mem's Avatar
 
Join Date: Apr 2000
Location: London
Posts: 20,947
Default How to remove Spyware/Adware/Hijacking

Reminder guys ,SpywareBlaster 3.2 is out,link.

Quote:
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.

Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today. By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

The most important step you can take is to secure your system and SpywareBlaster is the most powerful protection program available.

It's main features include:
- Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
- Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
- Restrict the actions of potentially dangerous sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background.

SpywareBlaster is freeware for personal and educational use.

The version adds Firefox 0.9 support and fixes several bugs.
__________________
No.6: "I've Resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own." .
Mem is offline   Reply With Quote
Old 07-08-2004, 11:29 AM   #7
staticfly
Member
 
Join Date: Feb 2001
Posts: 179
Default RE: How to remove Spyware/Adware/Hijacking

I need some help for this one. There are two problems, I'm not sure if they are related. First, rundll32.exe uses 100% of the cpu (I really don't think this should be there). Second, something keeps hijacking the homepage. It actually writes a new host file and redirrects msn and netscape searches to a different IP. I've run all of the above programs, none seem to catch it. I know some of this stuff is up to no good, but I'm not sure what to do. Please help! (btw, it is running norton antivirus with updated definitions.). Thanks.


Logfile of HijackThis v1.98.0
Scan saved at 10:35:35 AM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINNT\System32\smss.exe
CWINNT\system32\winlogon.exe
CWINNT\system32\services.exe
CWINNT\system32\lsass.exe
CWINNT\system32\svchost.exe
CWINNT\system32\spoolsv.exe
CPROGRA~1\NavNT\DefWatch.exe
CWINNT\System32\svchost.exe
CPROGRA~1\NavNT\rtvscan.exe
CWINNT\system32\regsvc.exe
CWINNT\system32\MSTask.exe
CWINNT\System32\WBEM\WinMgmt.exe
CWINNT\system32\svchost.exe
CWINNT\system32\rundll32.exe
CWINNT\Explorer.EXE
CPROGRA~1\NavNT\vptray.exe
CWINNT\System32\svchost.exe
CProgram Files\Webroot\Spy Sweeper\SpySweeper.exe
CDocuments and Settings\jessegl\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - cprogram files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [vptray] CPROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "CProgram Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpySweeper] "CProgram Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = \Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://cprogram files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://cprogram files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://cprogram files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://cprogram files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://cprogram files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - ceurotopecoches\local.htm (file missing)
O12 - Plugin for .spop: CProgram Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/200b2564f786600...p/RdxIE601.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialer...ecomendada.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O20 - AppInit_DLLs: NVDESK32.DLL
staticfly is offline   Reply With Quote
Old 07-08-2004, 03:44 PM   #8
John
Moderator Emeritus
Elite Member
 
Join Date: Oct 1999
Location: West TX
Posts: 33,944
Default How to remove Spyware/Adware/Hijacking

I would remove the following:

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - ceurotopecoches\local.htm (file missing)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/200b2564f786600...p/RdxIE601.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialer...ecomendada.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
John is offline   Reply With Quote
Old 07-08-2004, 05:42 PM   #9
tweeve2002
Senior Member
 
Join Date: Sep 2003
Posts: 474
Default How to remove Spyware/Adware/Hijacking

I just used adaware on my Uncles computer and it removed just over 1000 objects, Im running adaware on my cousins computer and she has over 21,000 objects and it keeps growing :Q
tweeve2002 is offline   Reply With Quote
Old 07-08-2004, 09:02 PM   #10
bernie48
Member
 
Join Date: Apr 2001
Posts: 47
Default How to remove Spyware/Adware/Hijacking

Want to thank Schadenfroh for his excellent tutorial. I spent an entire afternoon cleaning my desktop of garbage, but was spared the same tribulation on my laptop after employing preventative maintenance and programs. And I'm so thankful I don't have to worry about the office pc now! Also I am not using IE anymore, at home or at the office. I like both FireFox and Opera.
bernie48 is offline   Reply With Quote
Old 07-09-2004, 01:41 AM   #11
boxed
Member
 
Join Date: Dec 2003
Posts: 183
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

umm i keep on getting this "clickspring.net" popup from purity port scan...help...tried everything...adware, spybot, cw something...norton...
boxed is offline   Reply With Quote
Old 07-09-2004, 11:11 AM   #12
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to removing and preventing Spyware/Adware/Hijacking

boxed, make sure all those are up to date and rerun the scan. if that fails, post your hijackthis log
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 11:15 AM   #13
boxed
Member
 
Join Date: Dec 2003
Posts: 183
Default Guide to removing and preventing Spyware/Adware/Hijacking

ya everything is up to date...

and where can i find this hijackthis log?
boxed is offline   Reply With Quote
Old 07-09-2004, 11:29 AM   #14
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to removing and preventing Spyware/Adware/Hijacking

a link to download it can be found under "If the steps above fail:" part of the removal guide. simply paste the results of the scan into the forums. But dont fix anything just yet, it can really fvk up your system if you fix the wrong one
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 11:46 AM   #15
OrByte
Diamond Member
 
OrByte's Avatar
 
Join Date: Jul 2000
Location: sacramento
Posts: 8,856
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

Thanks to everyone that is contributing to this effort!

I get to go home now and see what kind of damage has been done.

*cringe*
__________________
"It is good to keep in mind that the screw that tightens the mechanism is also the one that loosens it." - From a Japanese air rifle manual, circa 1971

"Being happy doesn't mean that everything is perfect. It means that you have decided to look beyond the imperfections" - unknown
OrByte is offline   Reply With Quote
Old 07-09-2004, 12:03 PM   #16
simms
Diamond Member
 
simms's Avatar
 
Join Date: Sep 2001
Posts: 8,212
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

Logfile of HijackThis v1.97.7
Scan saved at 9:57:31 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINDOWS\System32\smss.exe
CWINDOWS\system32\winlogon.exe
CWINDOWS\system32\services.exe
CWINDOWS\system32\lsass.exe
CWINDOWS\system32\svchost.exe
CWINDOWS\System32\svchost.exe
CProgram Files\STOPzilla!\szntsvc.exe
CWINDOWS\system32\spoolsv.exe
CPROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
CWINDOWS\System32\DVDRAMSV.exe
CPROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
CProgram Files\Analog Devices\SoundMAX\SMAgent.exe
CWINDOWS\System32\svchost.exe
CWINDOWS\Explorer.EXE
CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
CWINDOWS\System32\TPWRTRAY.EXE
CProgram Files\TOSHIBA\TouchED\TouchED.Exe
CProgram Files\Common Files\Real\Update_OB\realsched.exe
CWINDOWS\System32\TFNF5.exe
CProgram Files\Analog Devices\SoundMAX\PmProxy.exe
CWINDOWS\System32\hkcmd.exe
CProgram Files\Apoint2K\Apoint.exe
CWINDOWS\AGRSMMSG.exe
CWINDOWS\System32\00THotkey.exe
CWINDOWS\System32\ezSP_Px.exe
CProgram Files\STOPzilla!\Stopzilla.exe
CWINDOWS\system32\atlbe.exe
CProgram Files\Apoint2K\Apntex.exe
CPROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
CWINDOWS\System32\taskmgr.exe
CProgram Files\Internet Explorer\iexplore.exe
CDocuments and Settings\llidstone\Local Settings\Temporary Internet Files\Content.IE5\Q5CJI165\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://CWINDOWS\noqul.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://noqul.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://noqul.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://CWINDOWS\noqul.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://noqul.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://CWINDOWS\noqul.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CProgram Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - cprogram files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - CProgram Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {F46FA47B-6291-D27B-D125-BCEEBB49E346} - CWINDOWS\ierw.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - CProgram Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - cprogram files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] CProgram Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "CProgram Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PmProxy] CProgram Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] CWINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] CWINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] CProgram Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] CWINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] CWINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [STOPzilla] "CProgram Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [atlbe.exe] CWINDOWS\system32\atlbe.exe
O4 - HKLM\..\RunOnce: [apiof32.exe] CWINDOWS\system32\apiof32.exe
O4 - HKLM\..\RunOnce: [appnq.exe] CWINDOWS\appnq.exe
O4 - HKLM\..\RunOnce: [javawu.exe] CWINDOWS\system32\javawu.exe
O4 - HKLM\..\RunOnce: [msgh.exe] CWINDOWS\system32\msgh.exe
O4 - HKLM\..\RunOnce: [addbm32.exe] CWINDOWS\addbm32.exe
O4 - HKLM\..\RunOnce: [ierb32.exe] CWINDOWS\system32\ierb32.exe
O4 - HKLM\..\RunOnce: [iefq.exe] CWINDOWS\iefq.exe
O4 - HKLM\..\RunOnce: [netbl.exe] CWINDOWS\system32\netbl.exe
O8 - Extra context menu item: &Google Search - res://CProgram Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://CProgram Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://CProgram Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CPROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://CProgram Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://CProgram Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...949.4884953704
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jastram.com
O17 - HKLM\Software\..\Telephony: DomainName = jastram.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jastram.com
simms is offline   Reply With Quote
Old 07-09-2004, 12:19 PM   #17
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to removing and preventing Spyware/Adware/Hijacking

simms,
remove the following, rember to kill the process in process viewer before removing

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://CWINDOWS\noqul.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://noqul.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://noqul.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://CWINDOWS\noqul.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://noqul.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://CWINDOWS\noqul.dll/sp.html#96676
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {F46FA47B-6291-D27B-D125-BCEEBB49E346} - CWINDOWS\ierw.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jastram.com
O17 - HKLM\Software\..\Telephony: DomainName = jastram.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jastram.com

cannot confirm the following, but look very suspecious (see if removing the ones above can solve probem before messing with these, might want to use startup list in spybot to disable them and renable them if needed, much safer for the startups like runonce)
O4 - HKLM\..\Run: [atlbe.exe] CWINDOWS\system32\atlbe.exe
O4 - HKLM\..\RunOnce: [apiof32.exe] CWINDOWS\system32\apiof32.exe
O4 - HKLM\..\RunOnce: [appnq.exe] CWINDOWS\appnq.exe
O4 - HKLM\..\RunOnce: [msgh.exe] CWINDOWS\system32\msgh.exe
O4 - HKLM\..\RunOnce: [addbm32.exe] CWINDOWS\addbm32.exe
O4 - HKLM\..\RunOnce: [ierb32.exe] CWINDOWS\system32\ierb32.exe
O4 - HKLM\..\RunOnce: [iefq.exe] CWINDOWS\iefq.exe
O4 - HKLM\..\RunOnce: [netbl.exe] CWINDOWS\system32\netbl.exe
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 12:29 PM   #18
boxed
Member
 
Join Date: Dec 2003
Posts: 183
Default Guide to removing and preventing Spyware/Adware/Hijacking

Logfile of HijackThis v1.98.0
Scan saved at 1:29:09 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINDOWS\System32\smss.exe
CWINDOWS\system32\winlogon.exe
CWINDOWS\system32\services.exe
CWINDOWS\system32\lsass.exe
CWINDOWS\System32\Ati2evxx.exe
CWINDOWS\system32\svchost.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Common Files\Symantec Shared\ccSetMgr.exe
CWINDOWS\system32\Ati2evxx.exe
CWINDOWS\Explorer.EXE
CProgram Files\Common Files\Symantec Shared\ccEvtMgr.exe
CWINDOWS\system32\spoolsv.exe
CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
CProgram Files\Java\j2re1.4.2_03\bin\jusched.exe
CProgram Files\Rage3DTweak\RegTwk.exe
CWINDOWS\System32\CTHELPER.EXE
CProgram Files\Common Files\Symantec Shared\ccApp.exe
CProgram Files\rage3dtweak\gameutil.exe
CProgram Files\Project1\Soltek_HM.exe
CProgram Files\Logitech\MouseWare\system\em_exec.exe
CProgram Files\Common Files\Symantec Shared\ccProxy.exe
CPROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
CPROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
CProgram Files\AIM95\aim.exe
CProgram Files\Lavasoft\Ad-aware 6\Ad-watch.exe
CWINDOWS\system32\ntvdm.exe
CPROGRA~1\NJSTAR~1\NJCOM32.EXE
CWINDOWS\System32\cjamdclg.exe
CProgram Files\Tencent\qq\QQ.exe
CProgram Files\Internet Explorer\iexplore.exe
CDocuments and Settings\Tommy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CProgram Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {368D6428-B732-789C-D955-64550CD77A48} - CWINDOWS\System32\jhwjuqg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] CWINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] CProgram Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Soltek] CWINDOWS\System32\autorun.exe
O4 - HKLM\..\Run: [SBDrvDet] CProgram Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RegTweak] CProgram Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [NeroCheck] CWINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "CProgram Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VVSN] CProgram Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Internet Optimizer] "CProgram Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [Whrc] CWINDOWS\System32\cjamdclg.exe
O4 - HKCU\..\Run: [Skype] "CProgram Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Soltek HM V2.04.LNK = CProgram Files\Project1\Soltek_HM.exe
O4 - Startup: Tencent QQ.lnk = CProgram Files\Tencent\qq\QQ.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CPROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - CProgram Files\Tencent\qq\QQ.exe
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - CProgram Files\Tencent\qq\QQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60...p/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab
boxed is offline   Reply With Quote
Old 07-09-2004, 12:32 PM   #19
ViciouS
Golden Member
 
Join Date: Apr 2001
Posts: 1,257
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

Logfile of HijackThis v1.98.0
Scan saved at 1:30:13 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINDOWS\System32\smss.exe
CWINDOWS\system32\winlogon.exe
CWINDOWS\system32\services.exe
CWINDOWS\system32\lsass.exe
CWINDOWS\system32\svchost.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Common Files\Symantec Shared\ccSetMgr.exe
CProgram Files\Common Files\Symantec Shared\ccEvtMgr.exe
CWINDOWS\system32\spoolsv.exe
CWINDOWS\Explorer.EXE
CProgram Files\Microsoft IntelliPoint\point32.exe
CProgram Files\Microsoft IntelliType Pro\type32.exe
CProgram Files\Common Files\Symantec Shared\ccApp.exe
CProgram Files\Norton AntiVirus\navapsvc.exe
CProgram Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
CProgram Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
CWINDOWS\System32\MsPMSPSv.exe
CProgram Files\Norton AntiVirus\SAVScan.exe
CProgram Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
CWINDOWS\System32\svchost.exe
CDocuments and Settings\Eric\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CProgram Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CPROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - CProgram Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - CProgram Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTStartup] CProgram Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliPoint] "CProgram Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "CProgram Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] CWINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "CProgram Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] CProgram Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] CPROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "CProgram Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] CProgram Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CPROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CWINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CWINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - CPROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - CProgram Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmi...sysinfo/Si.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94873CCD-B57C-4DC2-8F38-CDC865AC6575}: NameServer = 192.168.2.1,4.2.2.2
ViciouS is offline   Reply With Quote
Old 07-09-2004, 12:50 PM   #20
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to removing and preventing Spyware/Adware/Hijacking

Boxed,
remove the following, rember to kill the process in process viewer before removing

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {368D6428-B732-789C-D955-64550CD77A48} - CWINDOWS\System32\jhwjuqg.dll
O4 - HKLM\..\Run: [Internet Optimizer] "CProgram Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [Whrc] CWINDOWS\System32\cjamdclg.exe
O4 - Startup: Tencent QQ.lnk = CProgram Files\Tencent\qq\QQ.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - CProgram Files\Tencent\qq\QQ.exe
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - CProgram Files\Tencent\qq\QQ.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60...p/RdxIE601.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

suspecious of the following (see if removing the above fixes the problems before removing the ones below)
O4 - HKLM\..\Run: [VVSN] CProgram Files\VVSN\VVSN.exe

notes
Tencent QQ messanger is classified as adware, see this, look for alternative messangers
I would also reccomend uninstalling realplayer, its a pain in the butt
You also might have the about:blank hijack, see my new threats page on my guide for more info
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 12:57 PM   #21
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

ViciouS,

I cant find anything bad with your HiJackthis log, what kind of problems are you having?

the only semi suspecious things are these, but i would not remove them unless you are having problems
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{94873CCD-B57C-4DC2-8F38-CDC865AC6575}: NameServer = 192.168.2.1,4.2.2.2
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 01:09 PM   #22
boxed
Member
 
Join Date: Dec 2003
Posts: 183
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

i dont have real player...i uninstalled it a while ago
boxed is offline   Reply With Quote
Old 07-09-2004, 01:24 PM   #23
boxed
Member
 
Join Date: Dec 2003
Posts: 183
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

this look good?

Logfile of HijackThis v1.98.0
Scan saved at 2:24:42 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINDOWS\System32\smss.exe
CWINDOWS\system32\winlogon.exe
CWINDOWS\system32\services.exe
CWINDOWS\system32\lsass.exe
CWINDOWS\System32\Ati2evxx.exe
CWINDOWS\system32\svchost.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Common Files\Symantec Shared\ccSetMgr.exe
CWINDOWS\system32\Ati2evxx.exe
CWINDOWS\Explorer.EXE
CProgram Files\Common Files\Symantec Shared\ccEvtMgr.exe
CWINDOWS\system32\spoolsv.exe
CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
CProgram Files\Java\j2re1.4.2_03\bin\jusched.exe
CProgram Files\Rage3DTweak\RegTwk.exe
CWINDOWS\System32\CTHELPER.EXE
CProgram Files\Common Files\Symantec Shared\ccApp.exe
CProgram Files\rage3dtweak\gameutil.exe
CProgram Files\Project1\Soltek_HM.exe
CProgram Files\Common Files\Symantec Shared\ccProxy.exe
CPROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
CPROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
CWINDOWS\System32\svchost.exe
CProgram Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
CProgram Files\AIM95\aim.exe
CWINDOWS\system32\ntvdm.exe
CPROGRA~1\NJSTAR~1\NJCOM32.EXE
CProgram Files\Tencent\qq\QQ.exe
CProgram Files\Steam\Steam.exe
CProgram Files\Internet Explorer\iexplore.exe
CDocuments and Settings\Tommy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=133014
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CProgram Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] CPROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] CWINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] CProgram Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Soltek] CWINDOWS\System32\autorun.exe
O4 - HKLM\..\Run: [SBDrvDet] CProgram Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RegTweak] CProgram Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [NeroCheck] CWINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "CProgram Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VVSN] CProgram Files\VVSN\VVSN.exe
O4 - HKCU\..\Run: [Skype] "CProgram Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Soltek HM V2.04.LNK = CProgram Files\Project1\Soltek_HM.exe
O8 - Extra context menu item: Add QQ Net Favorite - CProgram Files\Tencent\TT\NAF.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CPROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab
boxed is offline   Reply With Quote
Old 07-09-2004, 01:48 PM   #24
Schadenfroh
Elite Member
 
Schadenfroh's Avatar
 
Join Date: Mar 2003
Location: Boston
Posts: 38,418
Default Guide to removing and preventing Spyware/Adware/Hijacking

Boxed
remove
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=133014

O4 - HKLM\..\Run: [VVSN] CProgram Files\VVSN\VVSN.exe

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

and uninstall Tencent qq
__________________
"how we live is so far removed from how we ought to live, that he who abandons what is done for what ought to be done, will rather bring about his own ruin than his preservation"
- Niccolò Machiavelli
Schadenfroh is offline   Reply With Quote
Old 07-09-2004, 08:50 PM   #25
leigh6
Diamond Member
 
Join Date: Jun 2004
Posts: 3,011
Default RE: Guide to removing and preventing Spyware/Adware/Hijacking

Hi,

This is Leigh6. I was the one who had the Google hijack my home page. To repeat. I had the res:// stuff and the about blank stuff. I followed ALL the stuff to do at every site I visited (And of course yours). I ran cwshredder, about buster, and tune up utilities. I ran hijackthis and had someone look at it. Deleted the bad stuff. Ran all of the utilities and installed Spyware Blaster. After running AVG, Spybot, adaware etc. it looked fine for a day. THEN THIS!!! I have had no popups yet, only the home page being hijacked. My new hijackthis log follows: Any help would be greatly appreciated:

Logfile of HijackThis v1.98.0
Scan saved at 9:49:18 PM, on 7/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
CWINDOWS.000\SYSTEM\KERNEL32.DLL
CWINDOWS.000\SYSTEM\MSGSRV32.EXE
CWINDOWS.000\SYSTEM\MPREXE.EXE
CWINDOWS.000\SYSTEM\mmtask.tsk
CWINDOWS.000\SYSTEM\MSTASK.EXE
CWINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
CPROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
CWINDOWS.000\EXPLORER.EXE
CWINDOWS.000\TASKMON.EXE
CWINDOWS.000\SYSTEM\SYSTRAY.EXE
CPROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
CWINDOWS.000\SYSTEM\HPSJVXD.EXE
CWINDOWS.000\SYSTEM\STIMON.EXE
CPROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
CPROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
CPROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
CWINDOWS.000\SYSTEM\DDHELP.EXE
CWINDOWS.000\RUNDLL32.EXE
CPROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
CWINDOWS.000\SYSTEM\WMIEXE.EXE
CWINDOWS.000\SYSTEM\SPOOL32.EXE
CWINDOWS.000\SYSTEM\RNAAPP.EXE
CWINDOWS.000\SYSTEM\TAPISRV.EXE
CWINDOWS.000\SYSTEM\WINOA386.MOD
CWINDOWS.000\SYSTEM\WINOA386.MOD
CWINDOWS.000\SYSTEM\WINOA386.MOD
CWINDOWS.000\SYSTEM\WINOA386.MOD
CPROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
CWINDOWS.000\SYSTEM\PSTORES.EXE
CPROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
CUNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CProgram Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINDOWS.000\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] CWINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] CWINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE CWINDOWS.000\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] CWINDOWS.000\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [hpppt] CProgram Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HPSCANMonitor] CWINDOWS.000\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] CWINDOWS.000\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [mdac_runonce] CWINDOWS.000\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [IntelliType] "CProgram Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG_CC] CPROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] CWINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] CPROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE CWINDOWS.000\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Office.lnk = CProgram Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = CProgram Files\America Online 7.0\aoltray.exe
O4 - Global Startup: ZoneAlarm.lnk = CProgram Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CPROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///CProgram Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///CProgram Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/048772f02c1df43...p/RdxIE601.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/C...orLauncher.cab
leigh6 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:58 AM.


Powered by vBulletin® Version 3.8.8 Alpha 1
Copyright ©2000 - 2015, vBulletin Solutions, Inc.