Help with Alexa

Discussion in 'adware, spyware & hijack cleaning' started by jkassabian, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. jkassabian

    jkassabian Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    15
    I'd appreciate any help with this one.
    I believe it is called Alexa.

    I've run Ad-Aware and removed one entry.
    My hijackThis is attached.

    ***Thanks in advance.

    Jay
     

    Attached Files:

  2. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    This is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:09:47 PM, on 6/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Internet Explorer\IEengine.exe
    C:\dlltemp.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\Documents and Settings\AConnolly\Desktop\Spyware\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Valleycrest Companies
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intranet/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NA.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NA.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NA.local
     
  3. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    hi jkassabian

    Run HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking "Fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

    Be sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, see this link and follow the step-by-step directions for your Windows version.

    Reboot in Safe Mode. Find and delete:

    C:\Program Files\Internet Explorer\IEengine.exe
    c:\winnt\dllhelp.exe

    Reboot in Normal mode and post a fresh log here - not as attached log, pls copy the log in to your post.
     
  4. jkassabian

    jkassabian Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    15
    I followed your directions, so far so good. I ran hijackthis again and have posted the log below per your directions. Please advise.

    thank you again, you are a tremendous resource.

    jay

    Logfile of HijackThis v1.97.7
    Scan saved at 8:02:57 AM, on 6/7/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\System32\MsiExec.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Documents and Settings\AConnolly\Desktop\Spyware\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Valleycrest Companies
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intranet/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NA.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NA.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NA.local
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.