|
|
|
hijacked computer
|
Original Message
|
Name: trtpa
Date: May 11, 2004 at 09:38:56 Pacific
Subject: hijacked computer
OS: xp
CPU/Ram: pent 4 1.9 gh
|
Comment:
I have used cw shredder, adware, spybot and spyware blaster. Still getting online and offline popups.
PLEASE HELP
Report Offensive Message For Removal
|
|
Response Number 1
|
|
Reply: (edit)Could you provide me with any more details on the spyware. Better still when a popup appears post a hijack this log. (Search for Hijack This on Google and save it) then we cansee what the problem is and how to remove it.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: trtpa
Date: May 13, 2004 at 10:03:40 Pacific
|
Reply: (edit)Here is the hijackthis log: Logfile of HijackThis v1.97.7
Scan saved at 1:00:44 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Cosmi Firewall\firewall.exe
C:\DOCUME~1\TIMTAY~1\APPLIC~1\xejctrob.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Mini-Golf\LoadGolfCourses.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\DOCUME~1\TIMTAY~1\LOCALS~1\Temp\Thf2.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Kontiki\bin\kontiki.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\MbhRo.exe
C:\WINDOWS\System32\MbhRo.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim Taylor\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wabu.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspry.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Cosmi Firewall] C:\Program Files\Cosmi Firewall\firewall.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2FG5RJP4Z9DQ7K] C:\WINDOWS\System32\Ypyg9e5.exe
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\7zlge6d0.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ohfst] C:\DOCUME~1\TIMTAY~1\APPLIC~1\xejctrob.exe -QuieT
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\System32\regsvc32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /pause
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - Global Startup: LoadGolfCourses
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Cosmi Popup Blocker (HKLM)
O9 - Extra 'Tools' menuitem: Cosmi Popup Blocker (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1507402f88f419464c15/netzip/RdxIE2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: Top Speed
Date: May 16, 2004 at 16:53:14 Pacific
|
Reply: (edit)Tim, Even after running the most up-to-date antiviral and ad removal programs, I still had to manually remove malware and popups after running these programs. My fix in Response #3, "Subject: Popup plague =Hijack? help please" should do it for you.
or
try this link to the response page, http://computing.net/security/wwwboard/forum/11772.html to the page. Top Speed
Report Offensive Follow Up For Removal
|
Use following form to reply to current message:
|
|
|
