-

Jump to content



Photo
- - - - -

Trouble with some spyware


This topic has been archived. This means that you cannot reply to this topic.
18 replies to this topic

#1 of 19 OFFLINE   Steve_Tk

Steve_Tk

    Screenwriter

  • 2,833 posts
  • Join Date: Apr 30 2002

Posted September 04 2006 - 10:17 AM

A while back I reformatted my entire hard drive, but forgot to load my firewall on my computer. So I was only using windows firewall, guess that was my first mistake.

My girlfriend went to some site to look up lyrics to a song and all hell broke lose. Something changed my home page, I had strange icons on my task bar, my computer would take FOREVER to start up.

It seems everything has been removed, and whatever programs were put into the C drive, except one thing. When browsing webpages Ill get a random pop up window every 10-15 minutes with some advertisement. It's not coming from web sites I'm looking at either. I know HTF, discover, and wachovia do not have advertisement pop ups.

Any ideas? I'm thinking of just reformatting again.

#2 of 19 OFFLINE   Alon Goldberg

Alon Goldberg

    Screenwriter

  • 1,131 posts
  • Join Date: Jul 10 2006

Posted September 04 2006 - 10:33 AM

Hi Steve - follow these steps:

1. Run Microsoft Update and ensure all Windows and Office updates are installed: http://update.microsoft.com/
2. Install Ad-Aware: http://www.lavasoftu...ftware/adaware/
3. Install Spybot S&D: http://www.safer-net...load/index.html
4. Install Windows Defender: http://www.microsoft....e/default.mspx
5. Install the latest version of Java: http://www.java.com/
6. Ensure your Anti Virus protection is up to date. Suggest installing AVG: http://free.grisoft.com/
7. Ensure your Windows Firewall is enabled, and ensure you have a hardware firewall (for instance a wireless router)

And last but not least... stop using IE. Firefox is a far superior browser: http://www.mozilla.com/firefox/

#3 of 19 OFFLINE   Cees Alons

Cees Alons

    Executive Producer

  • 18,640 posts
  • Join Date: Jul 31 1997
  • Real Name:Cees Alons

Posted September 04 2006 - 10:36 AM

Steve,

I use Webroot SpySweeper. You could give it a try. I believe you'll have a free period for some time first. Another option is Lavasoft Ad-aware (see previous post), but I haven't used that one for a while.

SpySweeper is good, I took a subscription.
But the core-resident version of the latest release (V 5) takes a lot of core and "steals" the CPU for two or three seconds every two minutes (or so). I don't like that behaviour.
But it really works great! You should try one of these, IMO, before formatting your HD.


Cees

#4 of 19 OFFLINE   ThomasC

ThomasC

    Lead Actor

  • 6,526 posts
  • Join Date: Dec 15 2001

Posted September 04 2006 - 10:39 AM

Quote:
Originally Posted by Steve_Tk
A while back I reformatted my entire hard drive, but forgot to load my firewall on my computer. So I was only using windows firewall, guess that was my first mistake.
As far as I know, Windows Firewall is pretty good at what it does. Your girlfriend might have accidentally clicked on something that installed the spyware.

#5 of 19 OFFLINE   Robert_Gaither

Robert_Gaither

    Screenwriter

  • 1,370 posts
  • Join Date: Mar 12 2002

Posted September 04 2006 - 11:45 AM

Quote:
Originally Posted by Alon Goldberg
Hi Steve - follow these steps:

1. Run Microsoft Update and ensure all Windows and Office updates are installed: http://update.microsoft.com/
2. Install Ad-Aware: http://www.lavasoftu...ftware/adaware/
3. Install Spybot S&D: http://www.safer-net...load/index.html
4. Install Windows Defender: http://www.microsoft....e/default.mspx
5. Install the latest version of Java: http://www.java.com/
6. Ensure your Anti Virus protection is up to date. Suggest installing AVG: http://free.grisoft.com/
7. Ensure your Windows Firewall is enabled, and ensure you have a hardware firewall (for instance a wireless router)

And last but not least... stop using IE. Firefox is a far superior browser: http://www.mozilla.com/firefox/


Wow looks like most of the short list that I have on my computer but I also use the following:

Noadware to knock out those sites that likes to hijack the homepage. http://www.noadware.net/?hop=boost4

AVG is resource friendly but the free one is not a continous scan product, I recommend Avast mostly though this is resource hungry (you will notice this will slow down your computer) but to me the security it provides if it's an only computer that does online transactions is a must. http://www.free-prog...load.com/avast/

#6 of 19 OFFLINE   Greg*go

Greg*go

    Supporting Actor

  • 941 posts
  • Join Date: Jun 14 2002

Posted September 04 2006 - 12:36 PM

Ewido is another anti-spyware option that offers a free version.

http://www.ewido.net/en/

You can run a scan with the free version, but the resident scanner is only with the pay for version.

I myself don't run any adware programs on my desktop. I'll occasionally do a scan with one of the programs mentioned above (all are good options) and never find anything. I also have windows firewall & my router firewall setup as well. Running Firefox also does wonders.
I certainly don't expect anyone to remember me 65 years after I die, but you wouldn't know that from the way I act.

#7 of 19 OFFLINE   Carl Miller

Carl Miller

    Screenwriter

  • 1,461 posts
  • Join Date: Mar 17 2002

Posted September 04 2006 - 12:41 PM

I second the spysweeper recommendation. Their site has a free "spyaudit" tool you can use that's excellent.

If the programs recommended (whichever you decide to run) don't remove this thing, search google for a program called HiJack This, download it, run it, print the log and go to petercoyote.com to post the log in the HiJack This forum area. Someone skilled will read the log, and tell you what you need to remove.
Carl

#8 of 19 OFFLINE   Rommel_L

Rommel_L

    Second Unit

  • 355 posts
  • Join Date: Apr 25 2000

Posted September 04 2006 - 07:04 PM

Steve,

Run HiJackThis and post the logfile here...

#9 of 19 OFFLINE   Scott Merryfield

Scott Merryfield

    Executive Producer

  • 10,512 posts
  • Join Date: Dec 16 1998
  • LocationMichigan

Posted September 05 2006 - 12:16 AM

Lots of great suggestions above. One other freeware tool I use is Spyware Blaster, which actively blocks known spyware.

My "protection" toolkit includes:

Hardware firewall
Software firewall (ZoneAlarm on one PC, Windows FW on the other)
AVG Anti-virus
Spyware Blaster
Windows Update (keep those security patches up-to-date)
Lavasoft Adaware
Spybot
HiJack This! (only needed it a couple of times, but it's a powerful tool)
Firefox browser

I like ZoneAlarm better than the built-in Windows firewall. ZoneAlarm will alert you to any new application that attempts to access the Internet and allow you to either permit or deny access. Unfortunately, I've experienced problems with ZA locking up the Internet connection on my newer HP Pavilion, so I just use Windows firewall to supplement my external hardware firewall. I still run ZA on the Dell PC that my wife uses.

#10 of 19 OFFLINE   Al.Anderson

Al.Anderson

    Screenwriter

  • 2,186 posts
  • Join Date: Jul 02 2002
  • Real Name:Al

Posted September 05 2006 - 01:11 AM

All of the products mentioned are good. But if you already have an infection I strongly second the recommendation to run Hijackthis - it's an invaluable resource for find and getting rid of spyware.

We can probably help you here; but for even more dedicated resources try http://www.spywarein...erijn/index.php
which is also good for some background on all the spyware activity.

#11 of 19 OFFLINE   Don Giro

Don Giro

    Supporting Actor

  • 817 posts
  • Join Date: Jan 21 2004
  • Real Name:Don
  • LocationNew Jersey

Posted September 05 2006 - 01:23 AM

Great advice here. One thing I'd like to add: Stay away from lyrics sites, they're usually LOADED with malware.
When she embraces, your heart turns to stone
She comes at night, when you're all alone
And when she whispers, your blood shall run cold
You'd better hide before she finds you...

#12 of 19 OFFLINE   Kimmo Jaskari

Kimmo Jaskari

    Screenwriter

  • 1,529 posts
  • Join Date: Feb 27 2000

Posted September 05 2006 - 02:27 AM

First of all; a firewall protects against active attacks over the Internet, ie if cracker x is sitting at his computer and trying to break into your machine actively, a firewall will make that more difficult. A firewall won't do squat about spyware etc.

If you haven't installed too much stuff on the machine, I'd personally recommend you reformat to get rid of all the crap. Then, immediately get every update available for Windows before you do anything else.

After that is done, install some form of antispyware software if you want to, then install Privoxy to filter out lots of crud and then never, ever surf with IE. If you must use it on some specific site because of bad web page design then load it up especially for that, but for daily browsing you should use either Opera 9 or Firefox. I prefer Opera - it has an unsurpassed security record and a really great user interface especially after you take an hour or two to explore and customize it.

With Opera and Privoxy, there is no site out there that worries me in the slightest. I see hardly any unwanted popups, and I feel confident that nothing will just highjack the computer and load tons of garbage onto it. Of course, you can still foul something up by downloading something nasty which is why a solid antivirus program is a must, as well.
"If we do happen to step on a mine, Sir, what do we do?"
"Normal procedure, Lieutenant, is to jump 200 feet in the air and scatter oneself over a wide area." -- "BlackAdder 4"

#13 of 19 OFFLINE   Steve_Tk

Steve_Tk

    Screenwriter

  • 2,833 posts
  • Join Date: Apr 30 2002

Posted September 05 2006 - 08:36 AM

Logfile of HijackThis v1.99.1
Scan saved at 4:35:54 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32CTHELPER.EXE
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32MsPMSPSv.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:DOCUME~1StevenLOCALS~1TempTemporary Directory 1 for hijackthis.zipHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:WINDOWSsystem32nsv11.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [CTStartup] C:Program FilesCreativeSplash ScreenCTEaxSpl.EXE /run
O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
O4 - HKLM..Run: [Jet Detection] "C:Program FilesCreativeSBAudigyPROGRAMADGJDet.exe"
O4 - HKLM..Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
O4 - HKLM..Run: [defender] C:\dfndrff_13.exe
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros....?1154817024468
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:WINDOWSsystem32xeymi.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe

#14 of 19 OFFLINE   Alon Goldberg

Alon Goldberg

    Screenwriter

  • 1,131 posts
  • Join Date: Jul 10 2006

Posted September 05 2006 - 08:41 AM

Yikes... remove all of the bad sites from your IE Trusted Zone and reset your Search Engine to Microsoft or Google, for starters.

#15 of 19 OFFLINE   DaveMcFar

DaveMcFar

    Extra

  • 20 posts
  • Join Date: Jan 02 2005

Posted September 05 2006 - 11:00 AM

Here's the file after I ran Hijack. What do i need to do?

Logfile of HijackThis v1.99.1
Scan saved at 5:54:58 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSSystem32mgabg.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:WINDOWSSystem32PDeskPDesk.exe
C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesNetZeroexec.exe
C:Program FilesNikonPictureProjectNkbMonitor.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesNetZeroexec.exe
C:Program FilesNetZeroqsaccx1exec.exe
C:DOCUME~1OwnerLOCALS~1TempTemporary Directory 1 for hijackthis[1].zipHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://my.iwon.com/i...G=home&SEC=bnav
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.un td.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*.worldw inner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*syman tec.com;*.nai.com;*.networkassociates.com;*photosi te.com;*.dir.untd.com;*.prod.untd.com;
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:Program FilesNZSearchSearchEnh1.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:Program FilesNetZeroqsaccx1IEBHO.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:Program FilesNetZeroToolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
O4 - HKLM..Run: [Matrox Powerdesk] C:WINDOWSSystem32PDeskPDesk.exe /Autolaunch
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [Zone Labs Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
O4 - HKCU..Run: [NetZero_uoltray] C:Program FilesNetZeroexec.exe regrun
O4 - HKCU..Run: [spc_w] "C:Program FilesNZSearchnzspc.exe" -w
O4 - HKCU..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..RunOnce: [untd_recovery] "C:Program FilesNetZeroqsaccx1exec.exe"
O4 - Global Startup: NkbMonitor.exe.lnk = C:Program FilesNikonPictureProjectNkbMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:program filesaolaol toolbar 3.0resourcesen-USlocalsearch.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:Program FilesNetZeroqsaccappres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:Program FilesNetZeroqsaccappres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyGamingPartyPokerRunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyGamingPartyPokerRunApp.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:Program FilesBodog PokerBPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros....?1130697329761
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - file://C:Program FilesThe Tournament Directorcomdlg32.cab
O17 - HKLMSystemCCSServicesTcpip..{F44A7F93-E13A-430F-9DB0-DE3CFF4C34D6}: NameServer = 64.136.28.120 64.136.20.120
O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:WINDOWSSystem32mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

thanks

Dave

#16 of 19 OFFLINE   Carl Miller

Carl Miller

    Screenwriter

  • 1,461 posts
  • Join Date: Mar 17 2002

Posted September 05 2006 - 12:52 PM

When I recommended HiJack This, I stupidly said to go to the wrong site....

You guys who posted Hi Jack logs should go here: http://forums.tomcoyote.org/ to post your logs so someone can read them and recommend what to get rid of....HiJack This is a great tool, but you don't want to remove the wrong thing.
Carl

#17 of 19 OFFLINE   Rommel_L

Rommel_L

    Second Unit

  • 355 posts
  • Join Date: Apr 25 2000

Posted September 05 2006 - 01:34 PM

Steve Tk,

Yep, there are bugs in the PC. Do the ff:

- If you don't have a third-party firewall program, turn on WinXP's built-in firewall program.
- Create a folder C:Program FilesHiJackThis and move the HiJackThis.exe file here.
- Connect to the internet.
- Clear/clean cache and cookies folder of all internet browsers.
- Delete all files and folders contained in the following folders, but not the folders themselves:
  • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0file
  • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0jar
  • C:Documents and Settings -profile name- Local SettingsTemp
  • C:WindowsPrefetch
  • C:WindowsTemp
  • Recycle Bin
- Download, install, update and run the following antivirus / antispyware programs: AVG Free antivirus, Spybot S&D, Ad-Aware, MS Defender, SpywareBlaster and Cool Web Shredder.
- Run Microsoft's Malware Removal Tool. The file's name is MRT.exe. Search for it in C:Windowssystem32.

- Reboot in safe mode.
- Permanently delete the following files:
  • C:WINDOWSsystem32xeymi.dll
  • C:\kybrdff_13.exe
  • C:\dfndrff_13.exe
Permanently delete file by highlighting mentioned file, press and hold the ctrl key, right-click the file and click on delete.
- Run HiJackThis, put a check beside the following processes and hit Fixed checked:
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
R3 - Default URLSearchHook is missing
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
O4 - HKLM..Run: [CTStartup] C:Program FilesCreativeSplash ScreenCTEaxSpl.EXE /run
O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
O4 - HKLM..Run: [Jet Detection] "C:Program FilesCreativeSBAudigyPROGRAMADGJDet.exe"
O4 - HKLM..Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
O4 - HKLM..Run: [defender] C:\dfndrff_13.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -


- Reboot to normal boot.
- Connect to the internet.
- Download Java Runtime Environment (JRE) 5.0 Update 7, the latest version from Java. Remember to uninstall the old version first before installing the new one.
- Disable Messenger Service. It will help protect the computer from unwanted spam and other potential threats.
- Run Disk Defragmenter.
- Run HiJackThis and post the logfile here just to make all the bugs are cleaned up.

#18 of 19 OFFLINE   Rommel_L

Rommel_L

    Second Unit

  • 355 posts
  • Join Date: Apr 25 2000

Posted September 05 2006 - 01:50 PM

Dave,

I did not find and bugs in the system but do the following anyway for maintenance:

- Create a folder C:Program FilesHiJackThis and move the HiJackThis.exe file here.
- Clear/clean cache and cookies folder of all internet browsers.
- Delete all files and folders contained in the following folders, but not the folders themselves:
  • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0file
  • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0jar
  • C:Documents and Settings -profile name- Local SettingsTemp
  • C:WindowsPrefetch
  • C:WindowsTemp
  • Recycle Bin
- Connect to the internet.
- Download, install, update and run the following antivirus / antispyware programs: AVG Free antivirus, Spybot S&D, Ad-Aware, MS Defender, SpywareBlaster and Cool Web Shredder.
- Download Java Runtime Environment (JRE) 5.0 Update 7, the latest version from Java. Remember to uninstall the old version first before installing the new one.
- Disable Messenger Service. It will help protect the computer from unwanted spam and other potential threats.
- I suggest to remove/uninstall AOL toolbar and use Google toolbar instead.

- Reboot in safe mode.
- Run HiJackThis, put a check beside the following processes and hit Fixed checked:
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - Global Startup: NkbMonitor.exe.lnk = C:Program FilesNikonPictureProjectNkbMonitor.exe

The following processes are unnecessary to run during startup.

- Reboot to normal mode.
- Run Disk Defragmenter.

#19 of 19 OFFLINE   NickT

NickT

    Stunt Coordinator

  • 104 posts
  • Join Date: Nov 20 2001

Posted September 08 2006 - 06:42 PM

Steve TK, you have one nasty called Vundo on your system. It'll require a special fix to take care of beyond using Hijackthis. The suggestion to post at Tom Coyote is a good idea, and in fact, that is another forum I frequent. I am one of the people there who can answer Hijackthis logs, my profile. It's probably best to post over at Coyote, but here is what you need to do:

---------------------

You are running Hijackthis from a temp folder. This is not a good idea, because you will lose any backups that Hijackthis creates. Do the following to create a permanent folder to put Hijackthis into:

Click My Computer, then C:
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:HJT folder. Put your HijackThis.exe there, and double click to run it later.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once Vundofix is done, run Hijackthis and check the boxes next to all these, close all other windows, then click Fix Checked.

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
R3 - Default URLSearchHook is missing

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:WINDOWSsystem32nsv11.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)

O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
O4 - HKLM..Run: [defender] C:\dfndrff_13.exe

All of the O15 lines

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:WINDOWSsystem32xeymi.dll


After that, restart the computer and enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Then find and delete these files:

C:WINDOWSxload.exe
C:\kybrdff_13.exe
C:\dfndrff_13.exe


When done with this, I'd recommend scanning with Ewido Antispyware.

Download the trial version of Ewido anti-spyware from here and save it to your Desktop.

Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
  • Updating Ewido:

    By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either Ewido will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
After you have installed and updated Ewido, Click the scanner button at the top and select select complete system scan. Let Ewido do it's scan and when done, do the recommended actions.


That should help to clean up the mess on your computer Steve. If you still have problems, post back with a new Hijackthis log and the Vundo log.





Forum Nav Content I Follow