In desperation

Discussion in 'adware, spyware & hijack cleaning' started by OliverX669, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello,

    I wonder if someone may be able to help a man who’s not terribly computer conversant please? I have tried to access, and understand, the reports on site concerning this problem but to be honest I’m struggling.

    From what I have read on site it seems I’ve been “highjacked” by some organisation named www.hugesearch.net, or www.search-space.com, using an ActiveX control. Every time I try to access a website this organisation’s search page comes up which is both frustrating and irritating.

    I’ve tried everything I can to stop this but without success. I can “fix” the problem using the softwares I have but every time I reboot it recurs. My operating system is Windows Millennium and the softwares I’ve tried to use to get rid of this problem are Ad-aware 6.0, SpyBotS&D 1.2 and SpywareBlaster Release 2.6.1

    I appreciate other members are probably bored rigid with reports of this problem and if I’m being a nuisance I apologise but if anyone is able to give me “idiot-proof” instructions as to how to get rid of this problem once and for all I would be very grateful.

    My e-mail is removed before the spambots find it - Pieter

    Kind regards,

    Oliver
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi OliverX669,

    Welcome at Wilders. :)

    Download, unzip and run: CWShredder
    Use the Fix button and follow the intructions you will receive.
    If that does not solve it, I would need to see your HijackThis log.

    Regards,

    Pieter
     
  3. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Pieter,

    Many thanks for your prompt reply, its much appreciated.

    I'll go and get cwshredder, thank you for that.

    I downloaded Hijackthis, got that info from an onsite reply, and here is the logfile.

    Kind regards,

    Oliver

    Logfile of HijackThis v1.97.7
    Scan saved at 14:16:16, on 13/02/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\TURNPIKE\INVERSE\ARMON32A.EXE
    C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS ME\PGPSERVICE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINFAXPRO\WFXCTL32.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS ME\PGPTRAY.EXE
    C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINFAXPRO\WFXMOD32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\WINFAXPRO\FAXMNG32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSACCESS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hugesearch.net/bar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hugesearch.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hugesearch.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hugesearch.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hugesearch.net/bar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hugesearch.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hugesearch.net/bar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hugesearch.net/bar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.demon.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hugesearch.net/bar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hugesearch.net/bar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE ACROBAT 5\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\TURNPIKE\INVERSE\ARMon32a.exe"
    O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
    O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows ME\PGPservice.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Controller.LNK = C:\WinfaxPro\WFXCTL32.EXE
    O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
    O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
    O4 - Startup: Splash.lnk = C:\Program Files\Iomega\Tools\SPLASH.EXE
    O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows ME\PGPtray.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
    O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
    O4 - Startup: Exif Launcher.lnk = C:\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.demon.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi OliverX669,

    CWSHredder should take care of the hijack, but if any of the below are still there after running it.
    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hugesearch.net/bar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hugesearch.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hugesearch.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hugesearch.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hugesearch.net/bar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hugesearch.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hugesearch.net/bar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hugesearch.net/bar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.demon.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hugesearch.net/bar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hugesearch.net/bar.html

    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll

    O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta

    Then reboot.

    Regards,

    Pieter
     
  5. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello again Pieter,

    I can't thank you enough! Cwshredder has done the trick! I'll check out the details youv'e given me just to be sure.

    That really was appreciated, I can't tell you how much and if there's anything I can ever do in return please don't hesitate to come back to me.

    Thanks again.

    Kind regards,

    Oliver
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Glad we could help, Oliver. :)

    Stick around, learn some more and share your knowledge.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.