MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Hijacked and Spyfinders not finding it.
November 18, 2019, 05:08:27 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 18, 2019, 05:08:27 PM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Hijacked and Spyfinders not finding it.  (Read 2901 times)
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« on: September 12, 2004, 11:24:24 PM »

I have Windows XP and IE. The browser keeps getting hijacked every 10th or so page I go to, so it's not consistant. Spybot and Spyware Guard and Ad-Aware isn't finding any spyware (Not even the plugin for adaware to find VX2's).

Logfile of HijackThis v1.98.2
Scan saved at 8:42:41, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Utilities\CFusionMX\runtime\bin\jrunsvc.exe
C:\Utilities\CFusionMX\runtime\bin\jrun.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swagent.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swsoc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Kata\Resolution2\Resolution2.exe
C:\Program Files\webcamXP\webcamXP.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Boost XP\bxservice.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resolution2.exe] C:\Program Files\Kata\Resolution2\Resolution2.exe
O4 - HKCU\..\Run: [webcamXP] "C:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: winvnc4.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: September 12, 2004, 11:37:25 PM »

Can you Download DLLCompare


Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button  


EDIT---I meant to add this too
Where are you getting hijacked too?
Can you describe the type of Popups or hijack

Looks like you intentionally set your homepage to about:blank, right?
« Last Edit: September 12, 2004, 11:39:24 PM by benditup » Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #2 on: September 13, 2004, 12:38:24 AM »

Nothing was found. Sad

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smiley"
________________________________________________

1,388 items found:  1,388 files, 0 directories.
Total of file sizes:  283,458,527 bytes    270.32 M

Administrator Account =  True

--------------------End log---------------------

and my homepage as per the internet properities show www.google.com (which it should be).

I get hijacked to a redirector which puts up ads for target and other companies. It's to fast for me to see the whole domain, but it starts with www.qw*

Sorry.. But it happens suddenly and by the time I realize I've been hijacked, it's already moved on.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: September 13, 2004, 01:40:55 AM »

Can you try something, I've uploaded a File called IEFIX.zip
Save it to your desktop and Unzip the file IEFIX.reg to the desktop...Don't run it yet

Can you temporarily disable SpywareGuards protection

Do another scan with hijackthis and put a check next to these entries
and then Fix checked when all other windows are closed

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

RESTART your Computer in SAFE MODE

Double click on IEFIX.reg and allow it to merge to the registry

RESTART back in Normal mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back with a fresh hijackthis log

Download Attachment: IEFIX.zip.zip 1.1 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #4 on: September 13, 2004, 02:37:41 AM »

Logfile of HijackThis v1.98.2
Scan saved at 19:39:27, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Utilities\CFusionMX\runtime\bin\jrunsvc.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swagent.exe
C:\Utilities\CFusionMX\runtime\bin\jrun.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swsoc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Kata\Resolution2\Resolution2.exe
C:\Program Files\webcamXP\webcamXP.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Boost XP\bxservice.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Utilities\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resolution2.exe] C:\Program Files\Kata\Resolution2\Resolution2.exe
O4 - HKCU\..\Run: [webcamXP] "C:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: winvnc4.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} -
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} -
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab


Personally, I think now that
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} -
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} -
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} -
is the problem. But it wasn't in there before. You want I should fix this?
Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #5 on: September 13, 2004, 02:44:56 AM »

and I just got hijacked after searching in my google toolbar to www.passion.com.

Do these people really think that we will buy the things that they show? I mean, I'm considering calling target and letting them know that because of spyware, I'm going to boycot their store.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: September 13, 2004, 03:04:29 AM »

Did you merge IEfix into the registry? SpywareGuard may be interfering

I would fix all the 016 entries and then Restart your computer

Go to this site and download
 VX2.BetterInternet Finder XP/2k-- Version Msg126

Open VX2 finder
Click the find vx2 button
then click the make log button.

Post the log with a fresh hijackthis log.

If you haven't done so already, you should download
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

Forgot to add the link to VX2 finder
http://www.subratam.org/?page=removal
« Last Edit: September 13, 2004, 03:25:38 AM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: September 13, 2004, 03:17:06 AM »

My eyes are going Lance
Set Windows to Show Hidden Files and Folders

Navigate to this file, I see it in your running processes
C:\WINDOWS\System32\cvss.exe <--this file

Right click on it----properties---version
Do you know what it is related too?
Could you submit it to Kapersky's and RAV's for a free virus scan
http://www.kaspersky.com/scanforvirus
http://www.ravantivirus.com/scan/indexn.php

Simply use the Browse button to navigate to the file
Right click on it-----Select---Submit

Let me know what you find on it, thanks
Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #8 on: September 13, 2004, 06:00:09 AM »

Ok.. this is really strange...

cvss.exe does not exist on the HD. It's not hidden or anything...

It isn't listed in the task manager at all. However, it is still listed in HijackThis as a running process.

The only thing on the HD that is close to it is CVSS.EXE-1708AB1D.pf in the Windows\prefetch directory... Why I have a prefetch directory, I don't know.

There looks to be several program files with the extention of .pf in that directory (including HL {Half life?} in the directory).

I looked on MSCONFIG and saw that it was there and removed it from the loading (BTW, anyone know how to remove the excess programs from the startup list that aren't checked?).

So.. I'm reboting and I'll let you know how it goes.. Any other ideas?

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: September 13, 2004, 06:12:13 AM »

I gave you another idea, can you post a log from the VX2 finder!!!

Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #10 on: September 13, 2004, 06:25:16 AM »

Oops. Sorry about that..

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{D591C780-D667-40D1-8248-24A907139F18}

I've removed cvss.exe from the startup on one of my users (so now, it's all gone). I've also went through the registry and removed all references to the file (after making a backup that is).
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #11 on: September 13, 2004, 06:30:45 AM »



I won't be able to see this till tomorrow but can you go back and
download the newer version of VX2 finder and post a log from that one
 VX2.BetterInternet Finder XP/2k-- Version Msg126

and then post back with a fresh hijackthis log

Sorry, edited this, I'm tired, off to bed;)
« Last Edit: September 13, 2004, 06:36:53 AM by benditup » Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #12 on: September 13, 2004, 06:59:04 AM »

It's back. I think I'm going to cry... Undecided

I have no clue as to what's going on with this... What do you suggest next?

BTW, thank you for the help so far. Smiley


Log for VX2.BetterInternet File Finder (msg126)

Files Found---
 
Additional Files---
 
Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
PCANotify
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{D591C780-D667-40D1-8248-24A907139F18}



Logfile of HijackThis v1.98.2
Scan saved at 0:00:32, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Utilities\CFusionMX\runtime\bin\jrunsvc.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swagent.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\Utilities\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Utilities\CFusionMX\runtime\bin\jrun.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Kata\Resolution2\Resolution2.exe
C:\Program Files\webcamXP\webcamXP.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Boost XP\bxservice.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\Spyware\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Resolution2.exe] C:\Program Files\Kata\Resolution2\Resolution2.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [webcamXP] "C:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: winvnc4.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} -
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} -
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #13 on: September 13, 2004, 07:39:35 AM »

http://66.102.7.104/search?q=cache:QlLiM5G2L54J:forum.gladiator-antivirus.com/index.php%3Fshowtopic%3D17912%26view%3Dnew+cvss.exe&hl=en

Here's something that may or may not help. I'm having the same problem as this guy, but I don't have the other 2 files happening.
Logged

 
Lance_Lake
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 13


Bookmark and Share

View Profile
« Reply #14 on: September 13, 2004, 08:05:06 AM »

HA! I GOT THE F**KER!!! Smiley

Scanned file:   cvss.exe
 
cvss.exe - packed with ASPack
cvss.exe - infected by TrojanDownloader.Win32.Qoologic.b  


I managed to quarenteen it with a process manager. Let's see if it works. Smiley
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 12, 2017, 10:56:22 AM