You'll never believe it.....

Discussion in 'adware, spyware & hijack cleaning' started by craigbass76, Dec 11, 2003.

Thread Status:
Not open for further replies.
  1. craigbass76

    craigbass76 Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    72
    Location:
    Maine, USA
    I have a spyware problem.....

    I used spybot by Mr. Kolla, and tried to run spyblaster but couldn't make heads or tails of it. I downloaded Hijackthis. Here's what happens, I start up IE (it's not my computer, and I think I just sold the owner on Mozilla) and immediately get bombarded with ads, then a link to spykiller Pro. Here's the hijack log



    Logfile of HijackThis v1.97.7
    Scan saved at 9:26:18 PM, on 12/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\Program Files\Cosmi\HelpExpress\Edward\HXIUL.EXE
    C:\Program Files\Cosmi\HelpExpress\Edward\Client\HelpExp.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Cosmi\HelpExpress\Edward\Client\PrintMonitor.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\emsw.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\Documents and Settings\Edward\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://adbuyer3.lycos.com/tm/results.asp
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_genpg&prodOS=011&product_full_name=psc%202110&modelID=C8648A&PROD_SERIAL_ID=MY27NC52HN0F
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Pat\LOCALS~1\Temp\bundle.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Cosmi\HelpExpress\Edward\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Cosmi\HelpExpress\Edward\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74C448E8-D6B0-430F-A173-8723D932F1AC}: NameServer = 207.5.128.9 207.5.128.10

    I notice that it says something about IE, but not mozilla even though I installed the browser before running this scan. Does mozilla not get hijacked or something?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi craigbass76,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://adbuyer3.lycos.com/tm/results.asp

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx__SpybotSDDisabled (file missing)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Pat\LOCALS~1\Temp\bundle.exe

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Cosmi\HelpExpress\Edward\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Cosmi\HelpExpress\Edward\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm

    Then reboot and delete:
    C:\DOCUMENTS AND SETTINGS\Pat\LOCAL SETTINGS\Temp\bundle.exe
    C:\Program Files\Cosmi\HelpExpress <= entire folder
    C:\WINDOWS\emsw.exe
    C:\Program Files\websearch <= entire folder

    Mozilla can get hijacked and it would show up if it had been.
    (Plus it is a lot easier to cure)

    Regards,

    Pieter
     
  3. craigbass76

    craigbass76 Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    72
    Location:
    Maine, USA
    Here's the log from another computer that was having the same problem. I don't see anything that is exactly the same, so I didn't delete any items on the list. Thanks Pieter for answering the last one. I'm going tonight to fix what you suggested.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:44:43 PM, on 12/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\Documents and Settings\Edward Moulton\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=2839
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{39846847-3713-4C40-ADDC-8FC97812BD9A}: NameServer = 207.217.120.83 207.217.77.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{39846847-3713-4C40-ADDC-8FC97812BD9A}: NameServer = 207.217.120.83 207.217.77.82
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi craigbass76,

    First download and run: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm <= I had to crash IE on that one o_O

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [windows auto update] msblast.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Then reboot. You may have to reinstall NAV as it seems it was corrupted.

    Regards,

    Pieter
     
  5. craigbass76

    craigbass76 Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    72
    Location:
    Maine, USA
    In regards to the first computer log I posted, I couldn't find

    C:\DOCUMENTS AND SETTINGS\Pat\LOCAL SETTINGS\Temp\bundle.exe

    It just wasn't there. Could it have disappeared when I erased something else, or did it run off and hide when it realized I was gunning for it?
     
  6. yokenny

    yokenny Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    27
    Location:
    Toronto, Canada
    If you had IE-SPYAD you would notice it has been placed in the IE Restricted Zone.
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.