Help

Discussion in 'adware, spyware & hijack cleaning' started by ?yvind, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. ?yvind

    ?yvind Guest

    I have just stared having problems with my Intenet explorer. Everytime I open it up, it goes straight to "C:\WINNT\secure.html" which is a message saying "Detected Spyware! System Error # 384".


    Logfile of HijackThis v1.97.7
    Scan saved at 12:04:48, on 05.03.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\avgcc32.exe
    C:\Programfiler\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\reg32.exe
    C:\Programfiler\SuperBar\sbhc.exe
    C:\Programfiler\Blue Haven Media\Value Added Software\msbb.exe
    C:\WINDOWS\System32\wjview.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Programfiler\Common files\updmgr\updmgr.exe
    C:\Program Files\Altnet\Points Manager\Points Manager.exe
    C:\Programfiler\Fellesfiler\CMEII\CMESys.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programfiler\Messenger\msmsgs.exe
    C:\PROGRA~2\Altnet\DOWNLO~1\asm.exe
    C:\Programfiler\Fellesfiler\GMT\GMT.exe
    C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Programfiler\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe
    C:\WINDOWS\System32\wpabaln.exe
    C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\PROGRA~1\MICROS~1\Office10\OUTLOOK.EXE
    C:\Programfiler\Microsoft Office\Office10\WINWORD.EXE
    C:\Programfiler\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Anders Helling\Lokale innstillinger\Temp\Midlertidig mappe 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.no/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programfiler\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Programfiler\SuperBar\SuperBar.Dll
    O2 - BHO: (no name) - {793470C6-6CEF-40B3-B3A0-D3D666F976E4} - C:\WINDOWS\System32\gbatt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programfiler\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Zearching Bar - {5B2CCE61-46CE-11d8-8734-0050FCF57E49} - C:\Programfiler\Zearching bar\zearching.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [SBHC] C:\Programfiler\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Programfiler\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Programfiler\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [CJQAH] C:\WINDOWS\CJQAH.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [updmgr] C:\Programfiler\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Programfiler\Fellesfiler\CMEII\CMESys.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Outlook.lnk = ?
    O4 - Global Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ebates - file://C:\Programfiler\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Ebates (HKCU)
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload_7090.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    ?yvind, Mar 5, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Øyvind,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programfiler\MyWay\myBar\1.bin\MYBAR.DLL

    O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Programfiler\SuperBar\SuperBar.Dll
    O2 - BHO: (no name) - {793470C6-6CEF-40B3-B3A0-D3D666F976E4} - C:\WINDOWS\System32\gbatt.dll

    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programfiler\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [SBHC] C:\Programfiler\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Programfiler\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Programfiler\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\Run: [CJQAH] C:\WINDOWS\CJQAH.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [updmgr] C:\Programfiler\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Programfiler\Fellesfiler\CMEII\CMESys.exe"

    O4 - Global Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe

    O8 - Extra context menu item: Ebates - file://C:\Programfiler\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm

    O9 - Extra button: Ebates (HKCU)
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload_7090.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot and delete:
    C:\Programfiler\EbatesMoeMoneyMaker <= entire folder
    C:\Programfiler\Fellesfiler\CMEII <= entire folder
    C:\Programfiler\Fellesfiler\GMT <= entire folder
    C:\WINDOWS\reg32.exe
    C:\WINDOWS\secure.html
    C:\Program Files\Altnet\Points Manager <= entire folder
    C:\Programfiler\PERFECTNAV <= entire folder
    C:\Programfiler\MyWay <= entire folder
    C:\Programfiler\SuperBar <= entire folder
    C:\Programfiler\Srng <= entire folder
    C:\Programfiler\Common files\updmgr <= entire folder

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Do yopu have any idea what this is and where it came from:
    O3 - Toolbar: Zearching Bar - {5B2CCE61-46CE-11d8-8734-0050FCF57E49} - C:\Programfiler\Zearching bar\zearching.dll

    I would appreciate it if you could send me a copy of C:\Programfiler\Zearching bar\zearching.dll to the email-address in my profile.

    Regards,

    Pieter

    [EDITED because of hijackthis in the Temp folder. Good catch Subratam]
     
    Pieter_Arntz, Mar 5, 2004
    #2
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Unzy,

    I removed my post as I saw pieter is here.

    thank you.
     
    subratam, Mar 5, 2004
    #3
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Removed mine as well ;)

    Otherwise it's getting too confusing

    Cheers,
     
    Unzy, Mar 5, 2004
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...