hijack this log.

Discussion in 'adware, spyware & hijack cleaning' started by noss, May 25, 2004.

Thread Status:
Not open for further replies.
  1. noss

    noss Registered Member

    Joined:
    May 25, 2004
    Posts:
    3
    hi guys i'm just trying to help out a friend here, he is having the webpage 'yoursearch.com' making itself his homepage everytime he starts his machine and it is adding things to his favourites like 'spycam movies' etc.

    he ran adaware, and then hijackthis. here is his logs:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:47:44, on 25/05/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\ScsiAccess.EXE
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\internat.exe
    C:\winnt\dllhelp.exe
    C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software
    Updater\7288971\Program\backWeb-7288971.exe
    C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
    C:\WINNT\system32\hpoipm07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOSTS07.exe
    C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOFXM07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\WINNT\Profiles\me.PC_09040.000\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://your-searcher.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://spqztc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://your-searcher.com/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
    about:blank
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRA~1\AWS\MiniBug\MiniBug.exe 1
    O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
    O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr]
    C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
    O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp
    officejet v series\bin\hpodev07.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
    Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
    Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
    Files\WinZip\WZQKPICK.EXE
    O10 - Broken Internet access because of LSP provider
    'c:\winnt\system32\netware\nwws2sap.dll' missing
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111111123} -
    http://zalmancrave.ud-dial.biz/1/dexAU586.exe
    O16 - DPF: {1E2434D4-CBB7-11D0-A5A1-0000C0DC0697} (ibControls.ibCalendar) -
    http://bnet7.spotless.com.au/ibsys/ibobj/obj/OBJECTS]MEXECUTABLE/ibCalendar.cab
    O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} -
    http://66.154.18.136/npd/load8.exe
    O16 - DPF: {3395DD26-B621-4E3E-B61F-A65046F36D08} (spotpie.spot) -
    http://bnet3.spotless.com.au/ibnet/library/SPOTPO/obj/objects]mexecutable/spotpie.CAB
    O16 - DPF: {5E67243D-4161-4C7F-A58C-4FDDDD3D79E1} (prord.spotprord) -
    http://bnet7.spotless.com.au/ibnet/library/SPOTPR/obj/objects]mexecutable/prord.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.6480671296
    O16 - DPF: {B4CDDD3D-C52C-4833-A1C5-FDCD8D9A2C6D} (SandersonLookup.Lookup) -
    http://bnet7.spotless.com.au/ibnet/library/SPOTPO/obj/objects]mexecutable/lookup.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D63ACA0B-239F-48DD-B6A2-AAD21CD459D5}
    (SpotlabprojEmp.spotlabemp) -
    http://bnet4.spotless.com.au/ibnet/library/SPOTLM/obj/objects]mexecutable/spotlabemp.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotless.com.au
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{038275B0-42AB-458E-B866-2551576867AC}:
    NameServer = 202.129.64.42 202.129.64.198
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotless.com.au
    O17 -
    HKLM\System\CS1\Services\Tcpip\..\{038275B0-42AB-458E-B866-2551576867AC}:
    NameServer = 202.129.64.42 202.129.64.198
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotless.com.au



    thanks for your help.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi noss,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://your-searcher.com/index.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://spqztc.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://your-searcher.com/index.htm

    O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
    O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe

    O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
    Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111123} -
    http://zalmancrave.ud-dial.biz/1/dexAU586.exe

    O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} -
    http://66.154.18.136/npd/load8.exe

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot and delete:
    C:\Program Files\Internet Explorer\IEengine.exe

    Regards,

    Pieter
     
  3. noss

    noss Registered Member

    Joined:
    May 25, 2004
    Posts:
    3
    thanks for your help i'll let you know how my mate goes. i didnt realise he didnt unzip hijackthis to a seperate folder, as i was trying to talk him through everything over the phone yesterday.
     
  4. noss

    noss Registered Member

    Joined:
    May 25, 2004
    Posts:
    3
    ok, well, my mate wasnt 100% on sorting this all out himself so i dropped by his place on friday night and followed all the instructions as per above, one of the accounts on the machine still seems to have a problem, the other acocunt does not.

    the problem with yoursearch.com making itself the homepage no longer exists, same with all the things being added to his favourites, however, on this one account, he is getting popups all the time.. but there is nothing in them, ie pops up in fullscreen mode and doesnt go anywhere, its just a big white screen. its not a problem with not being connected to the net or having a slow computer, as everything else is running fine in the background. i've checked over everything again but with no luck.

    thanks for the help :)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You could try posting a log for the account with the problem. we might spot something.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.