Hijack This log and my problems (merged)

Discussion in 'adware, spyware & hijack cleaning' started by hiflyer00, May 26, 2004.

Thread Status:
Not open for further replies.
  1. hiflyer00

    hiflyer00 Registered Member

    Joined:
    May 26, 2004
    Posts:
    4
    Hijack This log and my problems.

    Here is my Hijack This log for starters:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:16:15 AM, on 5/26/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Sam Mendelsohn\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [lies 1] C:\PROGRA~1\Fordbendsave\Gpl copy grid.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1085341205217
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38130.5081365741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4356/mcfscan.cab


    Now, I use Ad-Aware, Spywareblaster, Spybot, and occasionally Hijack This. Well, I read that Google thing on Spyware, and I heard about CWShredder, so I went and downloaded it. Well apparently I didn't have CWS on my computer before, but now it's everywhere since I went on that site. I downloaded the thing, but it didn't do anything. Before, Spybot and Adaware got just a few things a week, now I get hundreds everytime I reboot. I get popups, it redirects me to a different page now, and look at this for example, in front of the URL to my homepage is this: hxxp://allaboutsearching.com/passthrough/index.html?http://

    I put X instead of T because I didn't want it to take you there.

    I tried Norton and that didn't do anything. I updated all of these programs and it still didn't work. Also, every once in a while a new page comes up that I can't exit out of, and it says loading, then it automatically exits.

    I have 4 main problems, coolwebsearch, look2me, Ezula, and Ibis toolbar.

    Please help.
     
  2. hiflyer00

    hiflyer00 Registered Member

    Joined:
    May 26, 2004
    Posts:
    4
    Re: Hijack This log and my problems.

    Bump, please help.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: Hijack This log and my problems.

    Hi hiflyer00,

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    Now they will end up on your desktop.

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [lies 1] C:\PROGRA~1\Fordbendsave\Gpl copy grid.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\Fordbendsave <= entire folder

    That should take care of the toolbar.

    Download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hiflyer00,

    I have merged your two threads together, although your 2nd log looks like it might belong to a different computer? If this is the case and the last log above is for a different computer, then please post that information here. Otherwise I will keep the thread as it is now.

    Also, please follow the instructions Pieter gave you in his last post for downloading VX2Finder.exe and posting the requested log in this thread. Thank you.

    Regards,

    snap

    Note: I have split off the 2nd log into a thread of it's own as indicated in the post below that the log was for his sister's computer - snap
    Sister's log can be found here: https://www.wilderssecurity.com/showthread.php?t=34382
     
    Last edited: May 30, 2004
  5. hiflyer00

    hiflyer00 Registered Member

    Joined:
    May 26, 2004
    Posts:
    4
    Ya, the second log is for my sister's computer. I'm going to do what he told me to do when I get back to mine.
     
  6. hiflyer00

    hiflyer00 Registered Member

    Joined:
    May 26, 2004
    Posts:
    4
    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\aytiveds.dll


    Guardian Key--- is called: GuardianPCVEW
    Asynchronous 000
    DllName C:\WINDOWS\system32\aytiveds.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {BF1924B1-D904-4F02-A9CE-275134289335}
    IDex DS3

    User Agent String---
    {BF1924B1-D904-4F02-A9CE-275134289335}
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Nothing usefull in there, so stay off the net until all files are deleted (second reboot)

    Open VX2Finder again and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > click OK and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianPCVEW

    (Note : the five letters in caps at the end may have changed [PCVEW] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.