Help needed..

Discussion in 'adware, spyware & hijack cleaning' started by soldierfrog, May 28, 2004.

Thread Status:
Not open for further replies.
  1. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    I'm pretty sure my computer has been hijacked. Every time i open my browser it brings me to a porn directory rather than my preset homepage. When i try to reset the homepage it just resets back to the same porn directory under the website address:C:\spad\start.html. I did the three steps asked for: I ran ad-ware and spybot then i ran hijack this and this is what i got. It would be the greatest of help if somebody could help a frustrated student out. Thanks for your time.




    Logfile of HijackThis v1.97.7
    Scan saved at 4:31:39 AM, on 5/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Rubz\Local Settings\Temp\Temporary Directory 3 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
    O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25f6d07633b111f26305/netzip/RdxIE601.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi soldierfrog,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25f6d07633b111f26305/netzip/RdxIE601.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab

    Download this file and rename it to spad.reg and doubleclick it. Confirm to merge with the registry.

    Then reboot into safe mode and delete:
    c:/spad <= entire folder
    C:\windows\system32\HPCMDTY.DLL
    C:\windows\system32\c_10230.dll

    Regards,

    Pieter
     
  3. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    Thanks Pieter it worked like a charm. You've saved me a lot of sleepless nights trying to figure out what the hell is wrong with my comp. You deserve a medal man. How did this happen in the first place and what can i do to prevent this from happening again?

    Thanks again,
    soldierfrog
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi soldierfrog,

    I am not sure how this particular variant spreads, but it is a CWS variant which uses security flaws in Windows to get into your system. Most of these holes have been patched, but not everyone is updated all the time.
    Also they found a few holesin Windows of their own.

    Please read How did this happen and can I prevent it?

    Regards,

    Pieter
     
  5. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    hi Pieter,

    one last problem. My homepage is longer being redirected but occasionally while surfing i'll be redirected to the same problem site. Is there something i missed that i should have done to totally eliminate this problem?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi soldierfrog,

    Is that the myexexex site ?

    If so, surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: myexexex

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Regards,

    Pieter
     
  7. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    Thanks again for responding so fast pieter here is what i got when i ran the regsrch program.

    [HKEY_USERS\S-1-5-21-1275210071-1004336348-682003330-1003\Software\Microsoft\Internet Explorer\TypedURLs]
    "url16"="http://www.myexexex.com/search.php?said=pfxp&qq=yahoo.com"

    [HKEY_USERS\S-1-5-21-1275210071-1004336348-682003330-1003\Software\Microsoft\Internet Explorer\TypedURLs]
    "url17"="http://www.myexexex.com/search.php?said=pfxp&qq=ign.com"
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi soldierfrog,

    This "stinks" :(

    Can you download the attachment and save it as prefixes.reg
    Doubleclick the file and confirm you want to merge it with the registry.

    Regards,

    Pieter
     

    Attached Files:

  9. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    i'm not able to merge this with the registry am i doing something wrong?
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey soldierfrog,

    Are you getting some kind of error message ?
    Also....just to make sure....you did rename prefixes.txt to prefixes.reg ?
     
  11. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    yeah i changed the name from txt to reg but then when i double click it just opens as a notepad file. is that what is suppose to happen in which case then no problem. thanks again
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Not sure what is going wrong but your file association for reg files may be off.

    Try this: copy the part in bold below and save it as prefixes.inf

    [Version]
    signature="$CHICAGO$"

    [DefaultInstall]
    AddReg=MyAddReg
    DelReg=MyDelReg


    [MyDelReg]
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

    [MyAddReg]
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,(Default),(value not set)
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,ftp,ftp://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,gopher,gopher://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,home,http://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,mosaic,http://
    HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes,www,http://


    Then rightclick the file you made and choose install.

    Regards,

    Pieter
     
  13. soldierfrog

    soldierfrog Registered Member

    Joined:
    May 28, 2004
    Posts:
    10
    ok it worked i was able to install it. what will that do? i know i'm a pain but i really apreaciate you going through all this trouble to help me out.

    thanks again,
    soldierfrog
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hopefully, in combination with running CWShredder 1.59.0 it will end you getting redirected.

    Use the Fix button in CWShredder and reboot when you are done.
    Keep us posted.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.