Spyware removal+HijackThis log

Discussion in 'adware, spyware & hijack cleaning' started by Xon, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Spyware Detected ! (Please help!)

    Hi there,

    I'm currently using Windows Xp Professional
    And now, it seems that spyware is detected.
    Initially, by using SpyBot S&D, 'Webdialer' & 'DSO Exploits' appeared.
    However, I don't think they are removed from my system.
    I've also tried downloading multiple scanners to remove them but it seems
    useless. My Internet Explorer 6.0 has its Homepage tab corrupted, which means, i can't enter a homepage i want.
    Furthermore, whenever i activate IE 6.0, it'll keep going to 'about:blank'
    and suspicious pop-ups saying:"Spyware Detected, click here to remove it" and etc.
    Can you suggest what I should do?
     
  2. yvonh733

    yvonh733 Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    14
    Re: Spyware Detected ! (Please help!)

    In the world we are living in...it is better to have more then one software to help get rid of all the remnants.

    In your case...it seem like CWSHREDDER could be of help...find it

    HERE

    Install it and run it...there are other tools I use...check my signature

    Good luck and have a good day :D
     
  3. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Re: Spyware Detected ! (Please help!)

    GREAT ! SOLVED !
    Thank You Very Much !
    Really, Thank YOU ! ^_^
    Thanks!!!

    Love u.
    haha
     
  4. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Re: Spyware Detected ! (Please help!)

    OH NO!
    ...
    ...
    ...after a while, the problem came back.
    The nasty pop-ups appeared, my homepage back to about:blank...
    How? -_-...
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Spyware Detected ! (Please help!)

    Hey Xon,

    I have moved your thread to the adware, spyware & hijack cleaning Forum. Please follow the below link and instructions within.

    This link---> https://www.wilderssecurity.com/showthread.php?t=15913

    then post your HijackThis log with any further description of your problem and one of the experts will give you recommendations on any Malware found.
     
  6. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Hi there,

    I used the Spybot S&D.
    Problems I'm experiencing:
    1)IE 6.0 Homepage will not save what I include.
    eg. I entered 'www.hotmail.com', it keeps returning to 'about:blank' no matter what.
    2)Upon opening IE 6.0, it goes to 'about:blank' with some nasty pop-ups that keeps saying "spyware detected in your system, click to remove" and sorts.
    3)Of course, slower IE 6.0 speed, like, it does not open links as fast as it should be anymore.
    4)(I'm not sure if this is affected too because of this 'spyware') Whenever I play a video/clip in Windows Media Player 9, the image is corrupted.

    HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:45:20 PM, on 6/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.9617.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {8092803D-E1B1-4978-88BF-BF08AE4510CE} - C:\WINDOWS\System32\efbgcia.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-sg\msntb.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  8. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Here's the content of the output.txt file:



    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sun 06/06/2004
    11:57 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "STUDIO'S" (2CFB:3095) - FS:NTFS clusters:512
    Total: 4 318 239 232 [4.0G] - Free: 535 982 592 [511M]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;



    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\RESMIK.DLL +++ File read error
    \\?\C:\WINDOWS\System32\RESMIK.DLL +++ File read error


    Scanning for main Hijacker:
    File found was C:\WINDOWS\System32\FKLKDDB.DLL
    Md5 tested As 8077C2987B88D4D351B8E0E16D453B51



    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
    C:\WINDOWS\System32\FKLKDDB.DLL

    Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    Also run CWShredder finally to clean up other entries

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Regards,

    Pieter
     
  10. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Logfile of HijackThis v1.97.7
    Scan saved at 1:16:30 PM, on 6/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.9617.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-sg\msntb.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Xon,

    Looks good. Only one left.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    Please read: Why did I get infected in the first place

    Regards,

    Pieter
     
  12. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Hi Pieter,

    After following your instructions, my homepage still cannot be set as what I typed in, in this case, www.hotmail.com.
    It keeps returning to about:blank even after I rebooted my com and after fixing the item u mentioned with HijackThis.

    How?
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Xon,

    Is about: blank an empty page now?
    This is to verify that CWS is gone.

    Regards,

    Pieter
     
  14. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Hello Pieter!

    Thanks a lot. The problem is solved. I can now set my homepage the way I want.
    Thank U Very Muuuch!

    Can you help me yet again in my remaining doubts?
    1)If a webpage I visit is supposed to be in English but turned out to be in Mandarin, what's wrong and what can I do to revert it back? (eg. www.neopets.com)
    2)While surfing the net, is it common to see the loading status bar at the bottom of IE6.0 occasionally put "opening page: about:blank" even though it did not go to it after opening a particular page?
    3)Can you please add some direct links to help me download or tighten my IE6.0 security? (And also to prevent the implantation of such 'virus'/'spy')

    Thank You. ^_^
    -Xon
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  16. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    The URL for www.neopets.com is correct as according to 'Corestreet'.
    This website should be in English, however, when mine is open, it's in Mandarin.
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    In IE > Tools > Internet-options > General tab > Delete files (including offline content) and cookies.

    There could be something in there that gets you identified wrong.

    Regards,

    Pieter
     
  18. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Yup, deleted them already.
    But still the same.

    Do you think it has something to do with the 'Encoding'?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Encoding could be worth a try.
    I am not a very good webmaster so I may miss a few options, but as far as I know multilingual displays can be arranged using cookies, Referer and IP (tricky)

    Regards,

    Pieter
     
  20. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Alright.
    One last minor question.
    I've installed SpywareBlaster already.
    Do get it work, do I have to activate it every time I am online to execute its function, or do I just leave it alone as it will auto detect even when I do not activate it?
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You can start SpywareBlaster about once a week to check for updates and if all the protection is still in place. That's all it takes.

    Regards,

    Pieter
     
  22. Xon

    Xon Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    14
    Alright.

    Thanks a lot for all your time since the start!
    You've been a great deal of help!
    Thank You for all your efforts and advices.

    Goodbye
    -Xon


    ^^I'll Be Back!^^
     
Thread Status:
Not open for further replies.