hijackthis log review plz PLZ

Discussion in 'adware, spyware & hijack cleaning' started by fade2blackened, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. Well, I´ve tried about everything I could to remove those "things" off my comp. But one of them is still there, messing up with my " default search engine" (IE), which was supposed to be a microsoft search page.
    real yellow pages is there now, "working"... Plz, I want to get rid of this ****. I´ve installed all the programs you might say (spyware guard/blaster, spybot s&d, spy sweeper, ad-aware, etc...).

    Well, here´s the log file. Plz ppl, make me happy!! Thank you!





    Logfile of HijackThis v1.97.7
    Scan saved at 06:36:53, on 29/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Arquivos de programas\SpywareGuard\sgmain.exe
    C:\Arquivos de programas\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Fabio Paiva\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F968012-5F3C-4891-A371-4DCC572E18D1}: NameServer = 200.204.0.10 200.204.0.138
     
  2. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Look what this spyware does to me

    http://real-yellow-page.com/index.php?aid=20038

    The search engine of IE, when you write something to find, it loads this ******* page... which I can´t get rid of.

    I tried EVERYTHING I could... All the programs I could find, everything... Now I´m just "here"... waiting.

    Please, help? o_O :doubt: :( :'(

    This is the only thing all the programs couldn´t remove.

    Any suggestions will be welcome.

    THX!
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Look what this spyware does to me

    Hi fade2blackened,

    Please download, unzip and run: CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot, run HijackThis again and post a new log.
    and someone will be happy to help you analyze your log.

    Regards,

    Pieter

    [EDITED after merging the two threads you started]
     
  4. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Well, here it is again...
    I ran hijackthis withou being connect? Any trouble?



    here it goes...thanks by now.




    Logfile of HijackThis v1.97.7
    Scan saved at 07:17:30, on 29/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Arquivos de programas\SpywareGuard\sgmain.exe
    C:\Arquivos de programas\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Documents and Settings\Fabio Paiva\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Arquivos de programas\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab


    o_O
     
  5. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    I had already used this program... and what? Didn´t work...

    And now the same thing... real-yellow-page still there...
    But I´ll do anything you guys say...

    1 more thing: when I used that program, it found the same thing twice (CWS.smartsearch and CWS.msconfig)... or everytime I run this program (shredder).

    Does it help?

    hmmm


    thx
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi fade2blackened,

    Unfortunately I'm very familiar with this hijack. Previously pointing to drxcount.

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: privdata

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    TIA,

    Pieter
     
  7. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Hi Pieter...

    I did exactly as you said.
    But once again, nothing happened. It has found no "instances for privdata".

    And once again I tried to use the "search engine" of IE, just in case this "virus" has left. And an error occuried while trying to "connect" to the "real-yellow-page".


    I´m gonna try to attach the screen shoot here.


    I´m really glad you´re trying to help me. But unfortunatly, nothing had worked yet.
     
  8. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    attach... hmm...

    well, here is what is written there... in the IE window, while trying to connect to this site (http://real-yellow-page.com/index.php?aid=2003:cool::


    Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (11) in /home/hosts/site1hp/html/inc.php on line 8
    Can't connect to database
     
  9. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Plz!!??
    up!

    :doubt:
     
  10. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    NEWS about my problem

    Well, after hours of reading, searching, asking, downloading, I still got nothing.

    It seems it´s impossible to get rid of this searching ****.

    I´ve found something myself... a line on WIN.INI

    run=fntldr.exe
    Something like this...
    I´ve found this is some sorta virus, hijack, whatever...
    Look:
    http://securityresponse.symantec.com/avcenter/venc/data/adware.searchcounter.html

    WELL, I tried to do everything I could. The registry looks clean, and "hiJackThis" show nothing unusal for me.

    I´m really pissed of now. And I think there´s no way to get ride of this ******* **** mother ****** cow ****** virus or whatever it is.

    Man, the registry "says" the search engine will search in a default msn search page, but the THING loads after trying to load the msn page. (It appears a "loading..." text above the page, before loading it completly).

    ANYONE!! HEEEELP!!! omg

    Please...

    No formating, please.
     
  11. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
  12. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi fade2blackened :)

    U don't have to bump your post. ;)

    Please be patient and one of the experts will be along to help u with your problem.


    Thanks.


    snowbound
     
  13. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Sorry... :doubt:

    I´m just desperate... :'(
     
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    It's alright :)

    Someone will be along soon, i'm sure. ;)




    snowbound
     
  15. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re:NEWS about my problem

    Hi fade,

    Dun be desperate mate :)

    Helps are always there... just a patient mind required

    I am answering here as it seems this is latest news about your problem

    see if this helps

    The fntldr.exe helped a bit in analysing your computer.It's a virus hangover. Well maybe the answer now:

    You have just experienced this virus - Symantec Security Response - Adware.SearchCounter which will have modified your computer in oh 30 or so different ways http://search.symantec.com/custom/us/query.html (pleasant!)

    If you have Norton it may well clear it all up in one go. If you don't and do not fancy cleaning up all this mess yourself go to download.com (so you know the copies are not themselves hacked) and get the programs ad-aware and spybot. Run ad-aware first. It will clear up the mess in your registry but miss something called a hosts redirect - the main sign of which will be that when you type something into the internet explorer address bar that is not recognised the autosearch function will have been hijacked and you will be taken to the website of the hacker's choice. Now run Spybot which will spot and repair this "hosts redirect" for you. ...29 down and one to go.

    Finally edit the win.ini file in your windows directory to prune out fntldr.exe from the run= line. You can use the notepad to do this. ..You may have other things there you want to keep. Track the files down in windows explorer to right click them, look at the version details and find out who made them. Make a note of the original line and think about trial removal of any you were not expecting. You can always edit them back in if they were required after all.

    thx
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    fade2blackened,

    Don't get your hopes up too much. We will have to do a lot of testing and poking. We have been working at this hijack for over a week and we have made progress, but not yet found a reasonable solution.
    I can disable the AutoSearch in IE so you won't end up there anymore.

    One thing you can do in the meanwhile is fully update Windows and IE at the Windows Update site.

    Regards,

    Pieter
     
  17. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Well.. I give up on this...

    I rly aprecciate your hard work (and mine too), but it seems useless until now to "kill" this search "thing".

    I tried out the last post there from our mate "subratam", but again it didn´t work.

    I´ve changed myself that line run= of WIN.INI before. Used all the programs, and nothing.

    I give up... I´ll just let it here, and maybe I´ll format my pc.

    THanks anyways!!
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Your choice, of course.

    If you want to read some more things we have tried and found out: http://boards.cexx.org/viewtopic.php?t=4493

    Regards,

    Pieter
     
  19. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Sure, I´ll read anything!

    But I won´t spend several hours on this anymore.


    Just onemore question, I´m downloading SP1 for winxp. Is there ANY problem installing it over the old? I mean... My pc have all my programs installed and personal configs. Is there a problem?


    Thanks!
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That should be no problem. Have a look here if you don't want to have to download it again, if you decide to format after all:
    http://www.broomeman.com/support/wsiedown.html

    Regards,

    Pieter
     
  21. fade2blackened

    fade2blackened Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    12
    Location:
    Brazil
    Hello again Pieter!

    Great forum you sent me. Everyone trying to solve the same problem. Epic.

    I´ve posted there too.

    Here´s what I said there:


    As I see I´m not the only one with this problem, which makes me a little bit confortable, just because I know there are more people, like me, trying to fix this problem.

    I´m not sure if my problem is the SAME but i´ll try to explain it:
    It has to do with the search bar (IE). When I write something which isn´t a web address, it instantly sends me to this page: http://real-yellow-page.com/index.php?aid=20038

    This "aid=20038" is a known number I guess.

    I can say I tried everything I could to try to remove this infection from my pc.

    -spybot S&D
    -spyware blaster
    -spyware guard
    -ad-aware 6 plus
    -spy sweeper
    -CWShredder
    -HijackThis

    And manually check registry entries, following the Symmantec steps.

    I even found on my own this file: fntldr.exe, which i think was supposed to load on my system startup. If you search for this file (google.com) you´ll notice it´s a trojan, spyware, whatever virus.

    I cleaned everything I could related to this file (which does not exist). There´s a line in WIN.INI (run=fntldr.exe) which I deleted.

    I´m not sure if could delete the file HOSTS (windows/system32/drivers/etc). Well, I did. HUH?


    I installed SP1 and Q832894 AFTER "meeting" this virus. I thought it would work. It didn´t. hehehe. Are there anything else I should install (I know the answer is yes, but I´d like to know their names, links, like this Q832894)?


    Well, I guess that´s everything I tried until now.

    Thanks.
     
Thread Status:
Not open for further replies.