Please help me with this

Discussion in 'adware, spyware & hijack cleaning' started by jaro, Apr 14, 2004.

Thread Status:
Not open for further replies.
  1. jaro

    jaro Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    2
    Hello,

    I ran Ad Aware 6.0 (last version updated). It found 4 'bad' files. I deleted them. I reboot system. When I open IE there is some search bar under the address bar.

    All these problems (new links in favorites links section, alot of popups...search bar) started after I downloaded one torrent file from suprnova.org.


    Here is my hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:01:52 PM, on 4/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Software\PC Cillin\Tmntsrv.exe
    C:\Software\PC Cillin\tmproxy.exe
    C:\Software\PC Cillin\PccPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Software\PC Cillin\pccguide.exe
    C:\Software\PC Cillin\PCClient.exe
    C:\Software\PC Cillin\TMOAgent.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\rmctrl.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jaroandsanna\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.soneraplaza.fi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sonera Internet
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Adobe\Acrobat Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13E1B2A7-042C-9286-A6F5-D870D3592945} - C:\PROGRA~1\GLOBAL~1\Nounsoftware.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: flagmail - {70DFA93B-5613-0977-625D-CA17621C8F03} - C:\PROGRA~1\GLOBAL~1\Nounsoftware.dll
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Software\PC Cillin\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Software\PC Cillin\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Software\PC Cillin\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [KeepBike] C:\PROGRA~1\Idol4\Bend flap inside.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Software\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.soneraplaza.fi
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38056.3651851852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{724A4C45-DA4F-4F19-86E2-53CB554285E4}: NameServer = 10.16.10.16 10.16.11.16
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jaro,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html

    O2 - BHO: (no name) - {13E1B2A7-042C-9286-A6F5-D870D3592945} - C:\PROGRA~1\GLOBAL~1\Nounsoftware.dll

    O3 - Toolbar: flagmail - {70DFA93B-5613-0977-625D-CA17621C8F03} - C:\PROGRA~1\GLOBAL~1\Nounsoftware.dll

    O4 - HKLM\..\Run: [KeepBike] C:\PROGRA~1\Idol4\Bend flap inside.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\Idol4 <= entire folder
    C:\PROGRAM FILES\GLOBAL~1 <= the entire folder that holds Nounsoftware.dll

    Regards,

    Pieter
     
  3. jaro

    jaro Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    2
    I did exactly what you told me but i didn't find the 'Global' folder. I did search for 'Nounsoftware.dll' and it didn't find anything. Anyway, it seems that everything is ok now.


    Thank you alot. It's great to know that when I have some problems I can find help here so quickly and for free. I will recommend this site. Thanks again. :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You're welcome.

    The name of the folder starts with Global by the way, that is not the complete name. Another file often found in that folder is antepeak.dat

    But we have accomplished the most important thing: disable it.
    You may have to clean out your Favorites, since some may have been added.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.