Need help with spyware. This is pissing me off

FFactory0x

Diamond Member
Aug 8, 2001
6,991
0
0
Logfile of HijackThis v1.97.7
Scan saved at 1:51:44 PM, on 3/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\games\steam\steam.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\System32\oisen.exe
C:\Documents and Settings\Hijack\Local Settings\Temporary Internet Files\Content.IE5\OBMT09CT\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.anandtech.com/
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 thehun.net #cooklop
O1 - Hosts: 64.200.25.145 www.thehun.net #cooklop
O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 free6.com #cooklop
O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktine\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26161044c2be18283b04/netzip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4285/mcfscan.cab


Thats what hijack this says.

I had this one file rnmngrp.exe which i deleted. Now there is a suspicious oisen.exe p[rocess. What do i do to get rip of this and fix my comp. I hate when i leave my comp unlocked only to come in and find this stuff on there
 

EagleKeeper

Discussion Club Moderator<br>Elite Member
Staff member
Oct 30, 2000
42,589
5
0
Do not leave it unlocked or restrict what can be dumped on it.
 

monzie

Senior member
Oct 28, 2003
247
0
0
Get Adaware and Spybot S&D (update them both first) and run them both.

A quick glance tells me your Hosts file is packed with nasties.
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
1st Run LSP-Fix

2nd Run CWS smartkiller removal tool

3rd Run CWShredder check for updates and run

4th Run Spybot search and destroy
check for updates and install them then Check for problems and fix problems, Reboot if prompted at the end and fix problems after it scans on boot up, then go into immunize and immunize it, block bad pages silently and check the boxes down on the bottom to prevent hijacking

5th Run Adaware
update it, scan and delete the problems found

6th Run Spyware blaster and keep spyware from being installed, update first then apply the new ones
NOTE: if spyware blaster says msvbvm60.dll is missing, install this or if it says MSCOMCTL.OCX cannot be found, install this

7th for even more protection, try spyware guard, it functions much like zonealarm, except for spybots, with an item in your tray, and will help in real-time spyware protection.
NOTE: if spyware guard says msvbvm60.dll is missing, install this or if it says MSCOMCTL.OCX cannot be found, install this

8th Make sure your AntiVirus is up to date and do a full system scan. if you have no antivirus, you need to get AVG, a freeware antivirus that some people say rivals NAV.

9th make sure your firewall is up to date (to test your firewall, go here and run shields up!) and if you have no firewall, you need to get zonealarm

10th check your IE explorer settings (Tools>internet options>privacy) to make sure privacy is set on at least medium and security setting (Tools>internet options>security) is likewise and reset your homepage manually

Note: rember to keep all of these programs updated and run spybotsearch and destroy and adaware scans once a month at least.

11th If all else fails to fix your hijacking/spyware problems, run hijackthis and startup list and post their logs on AT forums, in the meantime try firefox, a great alternative to internet explorer that usually has less problems with spyware and hijacking
 

OZEE

Senior member
Feb 23, 2001
985
0
0
Yup - do what Schadenfroh said. Then rerun your HJT and repost it.