The damage is done!!

Discussion in 'privacy problems' started by deecee, Sep 6, 2003.

Thread Status:
Not open for further replies.
  1. deecee

    deecee Guest

    Hi! I'm a brand new user sent here from SpyBot. I would like to use Spyblaster and use the Snapshot function. Problem is, I had a highjacking last week that set up SearchV as my homepage and did something to my computer to keep the "general " tab from coming up on my Internet Options. It took a while to clean up what I could understand and remove a bunch of porno site additions that it made to my Favorites and the icon on my startup page. But I still can't get back to a "clean" computer to "snapshot". Any ideas? ps, nice BB :doubt:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi deecee,

    Welcome at Wilders. :)

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. deecee

    deecee Guest

    Thanks Pieter. I think this is what you are asking for, I have spent many long hours trying to figure out what's going on and have found out many new things, so maybe the experience has some value:
    o_O
    StartupList version: 1.52

    Started from : C:\Documents and Settings\Administrator\Local
    Settings\Temp\StartupList.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\MouseWarePro\MWProEng.exe

    C:\WINNT\system32\HpMmKbd.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINNT\System32\hphmon03.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPHipm09.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
    C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    MWProEng = C:\Program Files\MouseWarePro\MWProEng.exe
    HpMmKbd = HpMmKbd.exe
    Synchronization Manager = mobsync.exe /logon
    PopUpKiller = C:\Program Files\PopUp Killer\PopUpKiller.EXE
    LimeWire =
    HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    HPHmon03 = C:\WINNT\System32\hphmon03.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:


    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    WinShow module - C:\WINNT\winshow.dll (file missing) - {6CC1C918-AE8B-4373-
    A5B4-28BA1851E39A}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?
    37861.9525347222

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------

    End of report, 4,709 bytes
    Report generated in 0.120 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi deecee,

    Actually that is not what I ment, but I can see what is bugging you.
    Please download, unzip and run CWShredder also written by Merijn (creator of HijackThis)

    If you still have problems, please post A HijackThis log and not a StartUpList like you posted before.
    The site I linked to: http://www.tomcoyote.org/hjt/
    has a tutorial on how to post your log.

    Regards,

    Pieter
     
  5. deecee

    deecee Guest

    Well, Pieter, I am at least getting an education.
    This is what my tomcoyote highjack this scan looks like after using the cw shredder:
    Logfile of HijackThis v1.96.4
    Scan saved at 11:22:48 PM, on 9/8/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\MouseWarePro\MWProEng.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\WINNT\system32\HpMmKbd.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINNT\System32\hphmon03.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\explorer.exe
    C:\WINNT\System32\HPHipm09.exe
    C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
    C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
    O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9525347222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E64EB26E-289B-486C-811D-83053C4D19F8}: NameServer = 12.102.240.2 204.127.160.2

    I think I am missing some elements of IE6 as the remaining part of my problem? Will downloading IE6 cause problems with my files, folders, stuff saved on my harddrive?
    This is what the result of the shred was:
    - 0 registry values were killed
    - Hostsfile was OK
    - Bootconf.exe was not present
    - Trusted Zone was OK
    - User stylesheet was OK
    - Oemsyspnp.inf was not present
    - Svchost32.exe was not present
    - Msspi.dll Winsock hook was not present
    - Msinfo.exe was not present
    - Winshow.dll BHO was not present
    Hope to get back to "normal" so I can snapshot and start blasting.
    Just a question: Shouldn't highjackers that make changes to my computer files/registries etc without my consent be considered viruses and the exporters of such be prosecutable?
    Luck, and again thanks for all you do. Deecee

    :p
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi deecee,

    Have HijackThis Fix this entry, by putting a check-mark in front of it, close all IE windows and click Fix checked:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    That should put you back in the driver's seat again.
    The rest of the log is clean.

    If I told you how I feel about the producers of spyware the board censoring routine would probably get overheated. ;)

    But more and more AT and AV developers are including spyware in their definitions, depending on how aggressive the programs are.
    CoolWebSearch (the one that hit you) and RapidBlaster have the doubtful honor of being the only two that ever had special programs written, with the sole purpose to remove them.
    IMO the same should be done for lop.com.

    Regards,

    Pieter
     
  7. deecee

    deecee Guest

    Pieter,
    All is back to normal, SpywareBlaster is installed, and I am singing your praises to all my family and friends. Thanks for the education, patience and help. The forces of evil fear you!! Deecee
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I wish. :)

    Glad I could help.

    Pieter
     
Thread Status:
Not open for further replies.