MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Win Min and hijack
June 26, 2019, 12:03:46 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 26, 2019, 12:03:46 AM

Login with username, password and session length
 
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: Win Min and hijack  (Read 7020 times)
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« on: November 23, 2004, 02:46:47 AM »

Hi, I have the usual Win Min error and constant messages from spybot about new registry entries (always choose "deny change"). That's my Hthis log:


Logfile of HijackThis v1.98.2
Scan saved at 02:35:55, on 23/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Burning\Applications\System Essentials\Spy and privacy software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [koeaxif] c:\windows\xxqywrs.exe
O4 - Startup: NAVAPSVC.EXE.lnk = C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


I tried the normal procedure suggested in this forum (safe mode, delete the "mypoiskovic" entries and deleting "c:\windows\xxqywrs.exe") However, it does not make an change as you can see from the log.

Any help greatly appreciated.

Thanks,

Catalin

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: November 23, 2004, 09:39:05 AM »

Hi
Make sure you have already run Adaware, Spybot S & D(check for updates) and  as these will do a preliminary clean first.Some files below may not be present after running the above programs.

Then.....
Turn off your System Restore. http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405] See Here.Reinstate it and create an new restore point when your log is cleaned.Close your browser window and run hjt in safe mode... http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam] How To Run Safemode  and have "Hijack This" fix the following by placing a check in the appropriate boxes and selecting "fix checked".  Files highlighted in BLACK will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders..www.xtra.co.nz/help/0,,4155-1916458,00.html] How To Show Files .Please post a new log when finished...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O4 - HKCU\..\Run: [koeaxif] c:\windows\xxqywrs.exe
Logged

An Australian Member of

EDDY
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #2 on: November 28, 2004, 11:17:24 PM »

Hi pancake, sorry for the delay,

I did everything you suggested, but once I am in safe mode I cannot see the files to be deleted. i cannot see them in normal mode either (hidden files are all shown). What's going on? That's my HT log:



Logfile of HijackThis v1.98.2
Scan saved at 23:09:10, on 28/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Burning\Applications\System Essentials\Spy and privacy software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [koeaxif] c:\windows\xxqywrs.exe
O4 - Startup: NAVAPSVC.EXE.lnk = C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab



Thanks a lot,

Catalin
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: November 28, 2004, 11:49:58 PM »





Try removing this file using the below program
O4 - HKCU\..\Run: [koeaxif] c:\windows\xxqywrs.exe

http://pcf.mundayweb.com/index.php?view=16
Logged

An Australian Member of

EDDY
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #4 on: November 29, 2004, 12:01:07 AM »

I have searched the system for these 2 files:

xxqywrs.exe
smiehlp.dll

smiehelp seems to have gone, although i never deleted it. xxqywrs still comes up when scanning with HJT, but I cannot find it enywhere, neither in safe mode (I have been searching with hidden and system files view ENABLED).

Any help greatly appreciated as this seems to be quite serious.

Catalin
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: November 29, 2004, 02:03:36 AM »

xxqywrs.exe may be in Windows Task Manager as a running process.I take it that you did run SpyBot
Logged

An Australian Member of

EDDY
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #6 on: November 29, 2004, 02:20:26 AM »

Yes, I ran spybot and adaware, both fully updated. I have also tried the killer_2 program you recommended me. no success in finding the file. Btw, it is not in the windows task manager. It is really weired. The only trace of its existence is the entry in the HJT log. And then, I still have the mypoiskovic entries.

Is there any other way, or do I do anything wrong?
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: November 29, 2004, 02:40:25 AM »

Ok ..run the log for yourself and fix the items,reboot,and check the log again.
Logged

An Australian Member of

EDDY
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #8 on: November 29, 2004, 02:52:39 AM »

quote:
Originally posted by Pancake

Ok ..run the log for yourself and fix the items,reboot,and check the log again.


Sorry, but I am not quiet sure what you mean. How should I run the log myself and fix the entries? With HJT each time I scan and fix them, they reappear. The hijacking file must be somewhere, or is maybe generated by another program/file. I have no clue and cannot find it. I remember that it WAS listed in the windows folder, but then I deleted it. Could it be a problem with HJT? Shall I try other programs, other than adaware and spybot?

Thanks a lot for your help.
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #9 on: November 29, 2004, 02:57:11 AM »

Hello cbrylla
This is where it is saying you put HJT

 
quote:
C:\Burning\Applications\System Essentials\Spy and privacy software\HijackThis.exe


Please wait for further assistance
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #10 on: November 29, 2004, 03:14:08 AM »

Thanks geekgirl, but of course I know where HJT is, as I am constantly running logs to check my situation. Alas, I cannot find the hijacking file c:/windows/xxqwrst.exe, even though it is detected by HJT.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: November 29, 2004, 03:24:39 AM »

Lets see if it is hidding...

Download StartDreck,run it an post the log here please.

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.


http://www.niksoft.at/download/startdreck.htm
Logged

An Australian Member of

EDDY
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #12 on: November 29, 2004, 03:28:16 AM »

HEHE so sorry I misread your reply.....boy I feel silly Embarrassed
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
cbrylla
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 37


Bookmark and Share

View Profile
« Reply #13 on: November 29, 2004, 03:57:50 AM »

Here is the startdreck log. File was being found in the same directory as HJT (c:\windows\xxqywrs.exe) but if I search the directory with explorer I cannot find it.


StartDreck (build 2.1.7 public stable) - 2004-11-29 @ 03:56:00 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Catalin at BRYLLA-CAUBLKRN

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #14 on: November 29, 2004, 04:44:11 AM »

*koeaxif=c:\windows\xxqywrs.exe it still says its there....
Logged

An Australian Member of

EDDY
Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 31, 2018, 10:32:53 PM