Hijack: Mypoiskovic

Discussion in 'adware, spyware & hijack cleaning' started by Emosem, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    Hey- My search bar, homepage, and search page are constantly being reset to Myposkovic.com, a search engine. When downloading Hijackthis, I noticed that he said the next version of CW shredder would cover it..so I'd think this is a repeat-post of sorts. If there's already been a documented fix to this issue on the boards, a link would be great. Otherwise..here's my log file, help me help me, please!

    Logfile of HijackThis v1.97.7
    Scan saved at 5:55:07 PM, on 6/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEengine.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Valued Customer\Desktop\Spyware Killers\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/290fb913ae4b52988401/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.5677546296
    O17 - HKLM\System\CCS\Services\Tcpip\..\{47190F6F-F839-43E6-8DD7-6AD0DADF9A06}: NameServer = 68.105.161.20,68.1.18.30

    I tried to use the walkthrough on the Merijn homepage, but to no avail. I'm thinkin its the IEengine thread, but dont wanna destroy that on a hunch. Thanks in advance~
     
  2. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Download this removal tool: http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe. Once downloaded - run the program and press "Fix" rather than just scan. Before pressing "Fix" you need to close all browser windows. Let the program do its thing - you will be able to follow its progress. Click "next" once the fixing is done - then "exit".

    Make sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, check this link and follow the step-by-step directions for your Windows version.

    Next - Run HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking "Fix checked":

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/290fb91...ip/RdxIE601.cab

    Reboot in Safe Mode . Find and delete:

    C:\Program Files\Internet Explorer\IEengine.exe

    ... also look for and delete if you find them:

    m.exe
    dlltemp.exe
    dllhelp.exe
    winlogin.exe (carefull - winlogon.exe is legal, winlogin.exe is illegal)

    While still in safe mode would you please run CoolWeb Shredder one more time and let it FIX all problems.

    RESTART back in Normal mode. Don't open a browser yet.

    Instead, access your "Internet options" via Start -> Control Panel and under the "Programs" tab, "Reset Web Settings".
    Under the "General" tab => "Delete files" and "Reset home page".

    Post back a fresh Hijackthis log.
     
  3. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    All fixed- I really appreciate it. I'll post a log if necessary, but its been goin well for a while now, looks clean. Thank ya very much!
     
  4. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Sounds good :)

    Feel free to post a fresh log for a final check. Also we recommend this small article for some good advice on safer surfing:

    Why did I get infected
     
Thread Status:
Not open for further replies.