Hijacked with popups need help

Discussion in 'privacy problems' started by Squaar, Sep 24, 2003.

Thread Status:
Not open for further replies.
  1. Squaar

    Squaar Registered Member

    Joined:
    Jun 20, 2003
    Posts:
    8
    Recently I was Hijacked but other then the usual go to different webpage I have many popups appearing out of nowhere. I think I know what the culprits are just wanting some conformation

    Thanks
    Mike

    Logfile of HijackThis v1.94.0
    Scan saved at 8:59:51 PM, on 9/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=132986
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=132986
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://srch-us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\system32\QaBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\system32\QaBar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\Program Files\SafeSurfing\SSUpdate.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://new.tnc4u.com/MCInst.cab
    O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.5353240741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I'm no Expert, but I do know a few things that you CAN fix,
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab

    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    (Note, you MAY want to ask someone about RUNDLL32.EXE i'm not sure, so DONT fix it until a expert gets here)

    R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\system32\QaBar.dll

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    (Again, Note, I'm not to sure about ISTsvc but I think that should be safe to fix?)

    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    (S3TRAY2 should be safe, but again, I'm not 100% sure)

    I'd wait until say a expert gets on for the rest :doubt:

    <Notice> I am in no way responsible for any damages caused by any advice I have given, in anyway </Notice>
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Squaar,

    You are using a very oldversion of HijackThis, so if this doesn't soleve it download a new one and post a new log.
    I think this should do it however.

    First download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\system32\QaBar.dll
    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
    O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\system32\QaBar.dll
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\Program Files\SafeSurfing\SSUpdate.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://new.tnc4u.com/MCInst.cab

    Reboot after doing so, preferably into safe mode
    and delete:
    C:\Program Files\E2G <= entire folder
    C:\Program Files\ISTsvc <= entire folder
    C:\Program Files\SafeSurfing <= entire folder
    C:\PROGRAM FILES\NEWDOTNET <= entire folder

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.