Problem with a "spyware detector"

Discussion in 'adware, spyware & hijack cleaning' started by bacusgod, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. bacusgod

    bacusgod Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    1
    I'm having some trouble with a homepage that informs me my PC has some spyware. As soon as I close the MSIE window, I get a porn site in a popup. I've ran adaware, spybot and even removed some entries in HijackThis!, but to no avail. The porn page no longer appears (a 404 error appearing instead), but the homepage is still informing me I have spyware... What can I do?

    Here's the most recent HijackThis! log:

    Logfile of HijackThis v1.97.7
    Scan saved at 01:39:28 p.m., on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\Archivos de programa\Borland\InterBase\bin\ibguard.exe
    C:\WINDOWS\system32\explorer.exe
    c:\Archivos de programa\Borland\InterBase\bin\ibserver.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\JJ.INTURFCOL\Escritorio\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {598C7EA5-3FB5-4888-A5A9-FDF4C5C64695} - C:\WINDOWS\System32\jhbp.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [InterBaseGuardian] c:\Archivos de programa\Borland\InterBase\bin\ibguard.exe -a
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inturfcol.com
    O17 - HKLM\Software\..\Telephony: DomainName = inturfcol.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inturfcol.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = inturfcol.com
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    If you don't have Adaware yet, download it from here: (Don't run it yet, but I do want you to open it and check for updates and then close it)

    Next,

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Close all windows except HijackThis and fix these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JJ3C6B~1.INT\CONFIG~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {598C7EA5-3FB5-4888-A5A9-FDF4C5C64695} - C:\WINDOWS\System32\jhbp.dll

    Don't reboot yet.

    Then start APM.
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\jhbp.dll Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware now.

    Next, reboot.

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log file here along with a new HJT log.
     
Thread Status:
Not open for further replies.