Need help with Browser Hijack Problems

Discussion in 'adware, spyware & hijack cleaning' started by rtullio, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. rtullio

    rtullio Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    I have already run Spybot and AdAware.
    I am seeing some suspicious items in the Hijack this log but prefer to get some professional uidance as to what to remove.
    Any help would be appreiated.
    Renato

    Here is the log:
    Logfile of HijackThis v1.97.7
    Scan saved at 7:46:50 AM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\docume~1\cheryl\locals~1\temp\8cBq.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Dell\HijackThis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F6239A46-6E34-4238-B3B2-33B3DCB0D5DF} - C:\WINDOWS\zlsbpp.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [8cBq] C:\docume~1\cheryl\locals~1\temp\8cBq.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [3WTTN7832LCA2F] C:\WINDOWS\System32\Ahm9.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11111111-1111-1111-1111-112193120681} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.6171990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rtulio,

    I was wondering how many computers you have and when you are going to start protecting them?

    Regards,

    Pieter
     
  3. rtullio

    rtullio Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Hi Pieter
    I have friends that call me up with problems so I help them out since none of them would ever be able to do any of this.
    How do you guys know what items to remove, if could just learn all of them somehow I would not need to keep posting.
    I am a PC/Network tech so I could pick it up quickly if I had somewhre to reference the bad items.
    If you want me to stop posting logs I understand. I will just figure it out myself.
    BTW my computers are all protected and I have never had one of them infected. All the logs I have posted are either friends or co-workers PC's which after cleaning I promptly protect.
    Sorry for being a pain in the rear.
    Renato
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Follow the instructions at
    http://www.pestpatrol.com/PestInfo/w/webhancer.asp
    to uninstall webhancer and reboot


    Please download and run this file
    http://downloads.subratam.org/PeperFix.exe

    If the following 2 are still running
    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\docume~1\cheryl\locals~1\temp\8cBq.exe


    Download and run CWShredder by Merijn Bellekom
    Run it, press 'Fix', and allow it to fix all it finds.


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {F6239A46-6E34-4238-B3B2-33B3DCB0D5DF} - C:\WINDOWS\zlsbpp.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [8cBq] C:\docume~1\cheryl\locals~1\temp\8cBq.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [3WTTN7832LCA2F] C:\WINDOWS\System32\Ahm9.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {11111111-1111-1111-1111-112193120681} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files:
    C:\Documents and Settings\cheryl\Local Settings\temp\8cBq.exe
    C:\WINDOWS\System32\Ahm9.exe
    C:\WINDOWS\System32\dp-him.exe



    Delete the following folder(s) completely
    C:\WINDOWS\System32\P2P Networking\
    C:\Program Files\MyWay\
    C:\Program Files\webHancer\


    Rerun CWShredder again while still in SAFE mode

    Reboot to normal mode

    Get the latest release of Spybot and update it - then run it

    ------ some partial info (for further cleanup)
    http://doxdesk.com/parasite/webHancer.html
    http://www.pestpatrol.com/PestInfo/w/webhancer.asp
    http://www.pestpatrol.com/PestInfo/p/p2p_networking.asp
     
Thread Status:
Not open for further replies.