Once again...

Discussion in 'adware, spyware & hijack cleaning' started by Hemiten, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Hi there!
    Now I have the very same problem again that I had a while ago (https://www.wilderssecurity.com/showthread.php?p=164212#post164212); the start page of IE has changed itself to some kind of link site to different porn sites. A different page than the other time though I think.
    I used Spybot, and here's my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:22:26, on 2004-05-27
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Apoint2K\Apoint.exe
    C:\Program\LAUNCH~1\QtaET2S.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program\ICQLite\ICQLite.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\PROGRAM\AIM\aim.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\Temporär katalog 9 för hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\2.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\2.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA34799-218E-4672-9C17-5B3CED6D14B0}: NameServer = 193.11.224.135,193.11.241.11,193.11.226.3,217.28.194.41
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com


    Thanx!
    /Simon
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi hemiten,

    Can you please find and send to me :

    c:/spad/start.html <- this html file

    unzyATwilderssecurity.com (AT = @)

    Then download and run :

    http://www.zerosrealm.com/downloads/pv.zip

    Unzip to folder

    Make sure you are online and have one explorer windows open (like startpage)

    Then doubleclick runme.bat, choose option 1 and post the log here

    thnx!

    Cheers,
     
  3. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    in addition i would like to see a pv log from option 2 with one ie open please.
    Thanks!
     
  4. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Hi again!
    I can't post neither of the two logs. The message that comes up is:

    You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.

    Images include use of smilies, the vB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.

    ??
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ah hmmm,

    Users complained of that error before, there must be some chars in the log which confuses the engine here o_O

    Can you try the 'attach files' option?

    Click on submit reply

    Then under the submit reply button you see 'additional options'

    Click on manage attachments and upload the log

    Note : the log from option 2 like shadowwar asked is enough!

    Thnx!

    Cheers,
     
  6. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Ok, let's try...
     

    Attached Files:

  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Good job Hemiten! :)

    here is the cause :

    HPCMDTY.DLL 1770000 61440 C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\HPCMDTY.DLL

    Let's start with cleaning up :

    Have only Hijackthis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\2.bin\MYBAR.DLL

    Next make sure you have set all hidden files and folders to show : Here's How

    After doing copy the following bold text into notepad :



    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]


    hit 'save as'
    give it the name 'spad.reg'
    under the filename set file types to all files.
    save it to the desktop.

    Do not click it yet, but restart your PC after doing so in Safe Mode : Here's How and remove :

    C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\HPCMDTY.DLL <- this file
    c:/spad/ <- this folder
    C:\Program\MyWay\ <- this folder (nothing to do with the hijack)

    Clean temp internet files

    Then doubleclick on the desktop (or wherever you saved it) : spad.reg and click yes when asked to merge with the registry

    Restart again in normal mode and reset desired startpage again in internet options

    Hope this helps

    Cheers,
     
  8. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Thanx a lot Unzy! :D
    Hopefully everything will work just fine for me now...

    Simon
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Simon,

    Hope all is well again?

    Can you do one more thing? :

    Search for the following file via start -> search -> files/folders :

    c_10230.dll

    Can you inform us if it's present on your PC and if so the exact location?

    Thnx!

    Cheers,
     
  10. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Hi again!
    Well, yes - the file is on my computer. I can't get a more closer location than the C:\WINDOWS\system32 folder, sorry.
    Should I delete the file?
     
  11. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Thnx for that info!

    Yes please also delete

    Hope all is well again

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.