HELP

Discussion in 'adware, spyware & hijack cleaning' started by mrspydr, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. mrspydr

    mrspydr Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    19
    Detected SPYware! System error #384

    Logfile of HijackThis v1.97.7
    Scan saved at 7:33:58 PM, on 3/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\winupdate.exe
    C:\WINDOWS\reg32.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\dlm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\SHeck.GBIP\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://itseasy.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://itseasy.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://itseasy.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allsearcher.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allsearcher.info/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allsearcher.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://itseasy.us/browser/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allsearcher.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://itseasy.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://itseasy.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://allsearcher.info/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://allsearcher.info/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Serv] C:\WINDOWS\msstasks.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Windows Stortup] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.6593287037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GBIP.local
    O17 - HKLM\Software\..\Telephony: DomainName = GBIP.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GBIP.local
     

    Attached Files:

  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi mrspydr,

    Welcome to Wilders.

    First I would strongly recommend you uninstall SpyBlocs and SpyHunter thru you Add/Remove Programs Control Panel. Neither program does a very good job and is questionable at best. I will list very good alternatives to these for you at the end of this post.

    Some of the items are from viruses. I would strongly suggest you do an online virus scan and run a resident AV scanner if you are not already. Some good online scans can be found HERE.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis. Please note that the on-line AV scan might have removed some of the entries below.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://itseasy.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://itseasy.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://itseasy.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allsearcher.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allsearcher.info/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://allsearcher.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://itseasy.us/browser/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allsearcher.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://itseasy.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://itseasy.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://itseasy.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://allsearcher.info/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://allsearcher.info/

    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg32.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Serv] C:\WINDOWS\msstasks.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Windows Stortup] C:\WINDOWS\svchost.exe

    O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe

    And if you removed SpyBlocs and SpyHunter, also check the following items:

    O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\winupdate.exe
    C:\WINDOWS\reg32.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\dlm.exe
    C:\WINDOWS\msstasks.exe
    C:\WINDOWS\svchost.exe

    And if you removed SpyBlocs and SpyHunter, also delete the following items:

    C:\Program Files\SpyBlocs\ <-- entire folder
    C:\Program Files\SpyHunter\ <-- entire folder

    Reboot and then post a fresh HijackThis log.

    Some things you should read and check into:

    I would also suggest if you do not have a resident anti-virus, you get one. Some are reviewed HERE.

    Some tips and links that will help you stay safe on-line can be found HERE.

    And here is a good read about how to be better protected : Click Me.

    To help keep your system clean, these are also freeware programs that we recommend:
    SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
    SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
    IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

    And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
    Spybot Search&Destroy
    SpybotS&D Setup Tutorial.
    Ad-Aware
    Ad-Aware Setup Tutorial.
    Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

    Regards,
    Kent
     
  3. rhiannonv11

    rhiannonv11 Guest

    o_O

    dunno if this has anything to do with spyware, but could be wrong

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vb98/html/vbmsgpropnowriteminmax.asp
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
  5. mrspydr

    mrspydr Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    19
    Thank You I think that did it. This is a great site. Thanks again.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi mrspydr,

    I would post a new HJT log to be sure we got everything. Sometimes things come back or new items appear and it may not be apparent unless you post a new log.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.