Hi! I'm a brand new user sent here from SpyBot. I would like to use Spyblaster and use the Snapshot function. Problem is, I had a highjacking last week that set up SearchV as my homepage and did something to my computer to keep the "general " tab from coming up on my Internet Options. It took a while to clean up what I could understand and remove a bunch of porno site additions that it made to my Favorites and the icon on my startup page. But I still can't get back to a "clean" computer to "snapshot". Any ideas? ps, nice BB
Hi deecee, Welcome at Wilders. Could you post your HijackThis log Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post. Don´t fix anything yet. Most of what it finds is harmless. Regards, Pieter
Thanks Pieter. I think this is what you are asking for, I have spent many long hours trying to figure out what's going on and have found out many new things, so maybe the experience has some value: StartupList version: 1.52 Started from : C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\avsynmgr.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe C:\Program Files\MouseWarePro\MWProEng.exe C:\WINNT\system32\HpMmKbd.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINNT\System32\hphmon03.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\System32\HPHipm09.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run MWProEng = C:\Program Files\MouseWarePro\MWProEng.exe HpMmKbd = HpMmKbd.exe Synchronization Manager = mobsync.exe /logon PopUpKiller = C:\Program Files\PopUp Killer\PopUpKiller.EXE LimeWire = HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe HPHmon03 = C:\WINNT\System32\hphmon03.exe -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: WinShow module - C:\WINNT\winshow.dll (file missing) - {6CC1C918-AE8B-4373- A5B4-28BA1851E39A} -------------------------------------------------- Enumerating Download Program Files: [Update Class] InProcServer32 = C:\WINNT\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB? 37861.9525347222 [Shockwave Flash Object] InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll WebCheck: C:\WINNT\System32\webcheck.dll SysTray: stobject.dll -------------------------------------------------- End of report, 4,709 bytes Report generated in 0.120 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Hi deecee, Actually that is not what I ment, but I can see what is bugging you. Please download, unzip and run CWShredder also written by Merijn (creator of HijackThis) If you still have problems, please post A HijackThis log and not a StartUpList like you posted before. The site I linked to: http://www.tomcoyote.org/hjt/ has a tutorial on how to post your log. Regards, Pieter
Well, Pieter, I am at least getting an education. This is what my tomcoyote highjack this scan looks like after using the cw shredder: Logfile of HijackThis v1.96.4 Scan saved at 11:22:48 PM, on 9/8/2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\avsynmgr.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\MouseWarePro\MWProEng.exe C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe C:\WINNT\system32\HpMmKbd.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINNT\System32\hphmon03.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\system32\wuauclt.exe C:\WINNT\explorer.exe C:\WINNT\System32\HPHipm09.exe C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe C:\PROGRA~1\AT&T\WNCLIENT\PROGRAMS\WNCSMS~1.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9525347222 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E64EB26E-289B-486C-811D-83053C4D19F8}: NameServer = 12.102.240.2 204.127.160.2 I think I am missing some elements of IE6 as the remaining part of my problem? Will downloading IE6 cause problems with my files, folders, stuff saved on my harddrive? This is what the result of the shred was: - 0 registry values were killed - Hostsfile was OK - Bootconf.exe was not present - Trusted Zone was OK - User stylesheet was OK - Oemsyspnp.inf was not present - Svchost32.exe was not present - Msspi.dll Winsock hook was not present - Msinfo.exe was not present - Winshow.dll BHO was not present Hope to get back to "normal" so I can snapshot and start blasting. Just a question: Shouldn't highjackers that make changes to my computer files/registries etc without my consent be considered viruses and the exporters of such be prosecutable? Luck, and again thanks for all you do. Deecee
Hi deecee, Have HijackThis Fix this entry, by putting a check-mark in front of it, close all IE windows and click Fix checked: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present That should put you back in the driver's seat again. The rest of the log is clean. If I told you how I feel about the producers of spyware the board censoring routine would probably get overheated. But more and more AT and AV developers are including spyware in their definitions, depending on how aggressive the programs are. CoolWebSearch (the one that hit you) and RapidBlaster have the doubtful honor of being the only two that ever had special programs written, with the sole purpose to remove them. IMO the same should be done for lop.com. Regards, Pieter
Pieter, All is back to normal, SpywareBlaster is installed, and I am singing your praises to all my family and friends. Thanks for the education, patience and help. The forces of evil fear you!! Deecee