The damage is done!!

Hi! I'm a brand new user sent here from SpyBot. I would like to use Spyblaster and use the Snapshot function. Problem is, I had a highjacking last week that set up SearchV as my homepage and did something to my computer to keep the "general " tab from coming up on my Internet Options. It took a while to clean up what I could understand and remove a bunch of porno site additions that it made to my Favorites and the icon on my startup page. But I still can't get back to a "clean" computer to "snapshot". Any ideas? ps, nice BB

 

Hi deecee,

Welcome at Wilders.

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Thanks Pieter. I think this is what you are asking for, I have spent many long hours trying to figure out what's going on and have found out many new things, so maybe the experience has some value:

StartupList version: 1.52

Started from : C:\Documents and Settings\Administrator\Local
Settings\Temp\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\MouseWarePro\MWProEng.exe

C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\HPHipm09.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MWProEng = C:\Program Files\MouseWarePro\MWProEng.exe
HpMmKbd = HpMmKbd.exe
Synchronization Manager = mobsync.exe /logon
PopUpKiller = C:\Program Files\PopUp Killer\PopUpKiller.EXE
LimeWire =
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 = C:\WINNT\System32\hphmon03.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:


HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

WinShow module - C:\WINNT\winshow.dll (file missing) - {6CC1C918-AE8B-4373-
A5B4-28BA1851E39A}

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?
37861.9525347222

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------

End of report, 4,709 bytes
Report generated in 0.120 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Hi deecee,

Actually that is not what I ment, but I can see what is bugging you.
Please download, unzip and run CWShredder also written by Merijn (creator of HijackThis)

If you still have problems, please post A HijackThis log and not a StartUpList like you posted before.
The site I linked to: http://www.tomcoyote.org/hjt/
has a tutorial on how to post your log.

Regards,

Pieter

 

Well, Pieter, I am at least getting an education.
This is what my tomcoyote highjack this scan looks like after using the cw shredder:
Logfile of HijackThis v1.96.4
Scan saved at 11:22:48 PM, on 9/8/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\HPHipm09.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9525347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E64EB26E-289B-486C-811D-83053C4D19F8}: NameServer = 12.102.240.2 204.127.160.2

I think I am missing some elements of IE6 as the remaining part of my problem? Will downloading IE6 cause problems with my files, folders, stuff saved on my harddrive?
This is what the result of the shred was:
- 0 registry values were killed
- Hostsfile was OK
- Bootconf.exe was not present
- Trusted Zone was OK
- User stylesheet was OK
- Oemsyspnp.inf was not present
- Svchost32.exe was not present
- Msspi.dll Winsock hook was not present
- Msinfo.exe was not present
- Winshow.dll BHO was not present
Hope to get back to "normal" so I can snapshot and start blasting.
Just a question: Shouldn't highjackers that make changes to my computer files/registries etc without my consent be considered viruses and the exporters of such be prosecutable?
Luck, and again thanks for all you do. Deecee

 

Hi deecee,

Have HijackThis Fix this entry, by putting a check-mark in front of it, close all IE windows and click Fix checked:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
That should put you back in the driver's seat again.
The rest of the log is clean.

If I told you how I feel about the producers of spyware the board censoring routine would probably get overheated.

But more and more AT and AV developers are including spyware in their definitions, depending on how aggressive the programs are.
CoolWebSearch (the one that hit you) and RapidBlaster have the doubtful honor of being the only two that ever had special programs written, with the sole purpose to remove them.
IMO the same should be done for lop.com.

Regards,

Pieter

 

Pieter,
All is back to normal, SpywareBlaster is installed, and I am singing your praises to all my family and friends. Thanks for the education, patience and help. The forces of evil fear you!! Deecee

 

I wish.

Glad I could help.

Pieter