hijack this log.

hi guys i'm just trying to help out a friend here, he is having the webpage 'yoursearch.com' making itself his homepage everytime he starts his machine and it is adding things to his favourites like 'spycam movies' etc.

he ran adaware, and then hijackthis. here is his logs:

Logfile of HijackThis v1.97.7
Scan saved at 15:47:44, on 25/05/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\winnt\dllhelp.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\Profiles\me.PC_09040.000\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://your-searcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://spqztc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRA~1\AWS\MiniBug\MiniBug.exe 1
O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr]
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp
officejet v series\bin\hpodev07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O10 - Broken Internet access because of LSP provider
'c:\winnt\system32\netware\nwws2sap.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
http://zalmancrave.ud-dial.biz/1/dexAU586.exe
O16 - DPF: {1E2434D4-CBB7-11D0-A5A1-0000C0DC0697} (ibControls.ibCalendar) -
http://bnet7.spotless.com.au/ibsys/ibobj/obj/OBJECTS]MEXECUTABLE/ibCalendar.cab
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} -
http://66.154.18.136/npd/load8.exe
O16 - DPF: {3395DD26-B621-4E3E-B61F-A65046F36D08} (spotpie.spot) -
http://bnet3.spotless.com.au/ibnet/library/SPOTPO/obj/objects]mexecutable/spotpie.CAB
O16 - DPF: {5E67243D-4161-4C7F-A58C-4FDDDD3D79E1} (prord.spotprord) -
http://bnet7.spotless.com.au/ibnet/library/SPOTPR/obj/objects]mexecutable/prord.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.6480671296
O16 - DPF: {B4CDDD3D-C52C-4833-A1C5-FDCD8D9A2C6D} (SandersonLookup.Lookup) -
http://bnet7.spotless.com.au/ibnet/library/SPOTPO/obj/objects]mexecutable/lookup.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D63ACA0B-239F-48DD-B6A2-AAD21CD459D5}
(SpotlabprojEmp.spotlabemp) -
http://bnet4.spotless.com.au/ibnet/library/SPOTLM/obj/objects]mexecutable/spotlabemp.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spotless.com.au
O17 -
HKLM\System\CCS\Services\Tcpip\..\{038275B0-42AB-458E-B866-2551576867AC}:
NameServer = 202.129.64.42 202.129.64.198
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spotless.com.au
O17 -
HKLM\System\CS1\Services\Tcpip\..\{038275B0-42AB-458E-B866-2551576867AC}:
NameServer = 202.129.64.42 202.129.64.198
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spotless.com.au



thanks for your help.

 

Hi noss,

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://your-searcher.com/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://spqztc.t.muxa.cc/s.php?aid=227 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://your-searcher.com/index.htm

O4 - HKLM\..\Run: [WinAuth] C:\WINNT\winlogon.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINNT\System32\soundmx.exe

O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} -
http://zalmancrave.ud-dial.biz/1/dexAU586.exe

O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} -
http://66.154.18.136/npd/load8.exe

Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Then reboot and delete:
C:\Program Files\Internet Explorer\IEengine.exe

Regards,

Pieter

 

thanks for your help i'll let you know how my mate goes. i didnt realise he didnt unzip hijackthis to a seperate folder, as i was trying to talk him through everything over the phone yesterday.

 

ok, well, my mate wasnt 100% on sorting this all out himself so i dropped by his place on friday night and followed all the instructions as per above, one of the accounts on the machine still seems to have a problem, the other acocunt does not.

the problem with yoursearch.com making itself the homepage no longer exists, same with all the things being added to his favourites, however, on this one account, he is getting popups all the time.. but there is nothing in them, ie pops up in fullscreen mode and doesnt go anywhere, its just a big white screen. its not a problem with not being connected to the net or having a slow computer, as everything else is running fine in the background. i've checked over everything again but with no luck.

thanks for the help

 

You could try posting a log for the account with the problem. we might spot something.

Regards,

Pieter