Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Spydawn has hijacked my home page

Started by brandchanning , Feb 13 2007 09:25 AM

  • This topic is locked This topic is locked
2 replies to this topic

#1 brandchanning

brandchanning

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 13 February 2007 - 09:25 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:12:31 AM, on 2/13/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Video ActiveX Object\pmsnrr.exe
C:\Program Files\Video ActiveX Object\isamntr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Video ActiveX Object\pmmnt.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\explorer.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Documents and Settings\brand.PANWKST01\Local Settings\Temporary Internet Files\Content.IE5\8X2Z4DEB\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - {92E74DC1-3F2C-1D4D-F569-42606EE1EE59} - srbho.dll (file missing)
R3 - URLSearchHook: (no name) - {B754E095-D152-0AC9-99EB-3C6CEE01DD2B} - porka_.dll (file missing)
R3 - URLSearchHook: (no name) - {489A6D18-670D-A8C7-4737-058C7DC56305} - bhoserv.dll (file missing)
O2 - BHO: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: IE SP2 AddOn - {B9102E6B-F7C9-4526-872F-62C1A6862922} - C:\WINNT\System32\spajz.dll (file missing)
O2 - BHO: (no name) - {CE2E561A-C6AB-B351-8AFF-EFABAB705195} - C:\WINNT\System32\uta.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vp] C:\documents and settings\brett\local settings\temp\vp.exe
O4 - HKLM\..\Run: [ZnUoqe] C:\windows\ZnUoqe.exe
O4 - HKLM\..\Run: [9hG98bV] C:\windows\9hG98bV.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [ZmUFEa2bN] C:\winnt\system32\ZmUFEa2bN.exe
O4 - HKLM\..\Run: [AIak.exe] c:\winnt\system32\AIak.exe
O4 - HKLM\..\Run: [UserSp1] _ctcp.exe
O4 - HKLM\..\Run: [Dest068] AliceSD.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\System32\hclean32.exe
O4 - HKLM\..\Run: [_WinMain] C:\WINNT\winexec.exe
O4 - HKLM\..\Run: [dmpcq.exe] C:\WINNT\System32\dmpcq.exe
O4 - HKLM\..\Run: [teqq32] xwiz.exe
O4 - HKLM\..\Run: [progmen] Brong32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [srbho] Kargo.exe
O4 - HKLM\..\Run: [sound64] wormexe.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [cnftips] Preliminary.exe
O4 - HKCU\..\Run: [iehelper] ERTYDF.exe
O4 - HKCU\..\Run: [EXE32EXE] RtlFindVal.exe
O4 - HKCU\..\Run: [AppMasterCenter] NukeSpan.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [zantu] syspanel.exe
O4 - HKCU\..\Run: [MNTP] RtlFindVal.exe
O4 - HKCU\..\Run: [avpmondll] ssweeper.exe
O4 - HKCU\..\Run: [br0ken] scanSYS.exe
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171308591031
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2369630B-8AC5-4C38-9185-832202354DE6}: NameServer = 205.152.37.23,205.152.132.23
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - C:\WINNT\System32\higehsg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Softwa

    Advertisements

Register to Remove

#2 Rosty

Rosty

    SWI helper

  • Visiting Fellow
  • PipPipPip
  • 413 posts

Posted 15 February 2007 - 03:07 AM

Hi brandchanning,
welcome to TomCoyote forum. My name is Rosty and I'm going to help you with your log.

You have HijackThis running in a temporary folder,please place HJT in a permanent directory called:
C:\HJT or C:\HijackThis!This for saving the backups that HijackThis mades.

Please install an firewall first, because it doesn't make any sense to remove malware from your system if no scanner is preventing them from reinfecting your computer.

Without a firewall your computer is susceptible to being hacked and taken over:
ZoneAlarm is a good FREE firewall.

Read Understanding and using firewalls to learn more about using firewalls

VERY IMPORTANT: Never install more than ONE firewall on your system! Several together can give problems and decrease their reliability and effectiveness!

Download AVG Anti-Spyware from HERE and save that file to your
desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG and update the definition
    files.
  • On the main screen select the icon "Update" then select the "
    Update now    " link.
    • Next select the "Start Update" button, the update will start and a
      progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of
    the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then
    select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Download ATF Cleaner.
    Do not run it yet, we will shortly.

    Please remove these entries from Add/Remove Programs in the Control Panel(if present):
    Video ActiveX Object

    First we need to stop some malicious processes.

    1. Press the CTRL+ALT+DEL keys simultaneously to open Task Manager
    2. Click on the Processes tab to show running processes
    3. Find pmsnrr.exe and click on it
    4. Click End Process
    5. Repeat steps 3 & 4 for the following processes:
    * isamntr.exe
    * pmmnt.exe
    * isamini.exe

    6. Close Task Manager


    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from this site:
    http://downloads.sub.../Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

    R3 - URLSearchHook: (no name) - {92E74DC1-3F2C-1D4D-F569-42606EE1EE59} - srbho.dll (file missing)
    R3 - URLSearchHook: (no name) - {B754E095-D152-0AC9-99EB-3C6CEE01DD2B} - porka_.dll (file missing)
    R3 - URLSearchHook: (no name) - {489A6D18-670D-A8C7-4737-058C7DC56305} - bhoserv.dll (file missing)
    O2 - BHO: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll
    O2 - BHO: IE SP2 AddOn - {B9102E6B-F7C9-4526-872F-62C1A6862922} - C:\WINNT\System32\spajz.dll (file missing)
    O2 - BHO: (no name) - {CE2E561A-C6AB-B351-8AFF-EFABAB705195} - C:\WINNT\System32\uta.dll (file missing)
    O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll
    O4 - HKLM\..\Run: [ZnUoqe] C:\windows\ZnUoqe.exe
    O4 - HKLM\..\Run: [9hG98bV] C:\windows\9hG98bV.exe
    O4 - HKLM\..\Run: [ZmUFEa2bN] C:\winnt\system32\ZmUFEa2bN.exe
    O4 - HKLM\..\Run: [AIak.exe] c:\winnt\system32\AIak.exe
    O4 - HKLM\..\Run: [UserSp1] _ctcp.exe
    O4 - HKLM\..\Run: [Dest068] AliceSD.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
    O4 - HKLM\..\Run: [hclean32.exe] C:\WINNT\System32\hclean32.exe
    O4 - HKLM\..\Run: [_WinMain] C:\WINNT\winexec.exe
    O4 - HKLM\..\Run: [dmpcq.exe] C:\WINNT\System32\dmpcq.exe
    O4 - HKLM\..\Run: [teqq32] xwiz.exe
    O4 - HKLM\..\Run: [progmen] Brong32.exe
    O4 - HKLM\..\Run: [srbho] Kargo.exe
    O4 - HKLM\..\Run: [sound64] wormexe.exe
    O4 - HKCU\..\Run: [cnftips] Preliminary.exe
    O4 - HKCU\..\Run: [iehelper] ERTYDF.exe
    O4 - HKCU\..\Run: [EXE32EXE] RtlFindVal.exe
    O4 - HKCU\..\Run: [AppMasterCenter] NukeSpan.exe
    O4 - HKCU\..\Run: [lpt] MONITER.exe
    O4 - HKCU\..\Run: [zantu] syspanel.exe
    O4 - HKCU\..\Run: [MNTP] RtlFindVal.exe
    O4 - HKCU\..\Run: [avpmondll] ssweeper.exe
    O4 - HKCU\..\Run: [br0ken] scanSYS.exe
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

    Click Fix Checked. Close HijackThis, and click OK to proceed.

    Reboot your computer into SafeMode. You can do this by restarting
    your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter.

    Please delete these files using Windows Explorer(if present):
    C:\Program Files\Video ActiveX Object\isadd.dll
    C:\Program Files\Video ActiveX Object\iesplugin.dll
    C:\windows\ZnUoqe.exe
    C:\windows\9hG98bV.exe
    C:\winnt\system32\ZmUFEa2bN.exe
    c:\winnt\system32\AIak.exe
    _ctcp.exe
    AliceSD.exe
    C:\WINNT\dinst.exe
    C:\WINNT\System32\hclean32.exe
    C:\WINNT\winexec.exe
    C:\WINNT\System32\dmpcq.exe
    xwiz.exe
    Brong32.exe
    Kargo.exe
    wormexe.exe
    preliminary.exe
    ERTYDF.exe
    RtlFindVal.exe
    ukeSpan.exe
    MONITER.exe
    syspanel.exe
    RtlFindVal.exe
    ssweeper.exe
    scanSYS.exe

    Now run ATF-Cleaner:
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Select All found at the bottom of the list.
    • Click the Empty Selected button.
    If you use Firefox browser, do this also:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser, do this also:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.


    IMPORTANT: Do not open any other windows or
    programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little
    time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it to a text file on your system (make sure to remember where
    you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the
    results of the AVG Anti-Spyware scan.
Please reboot your system back to normal mode.

Note:

If you have problems with your internet connection after this fix, try this.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.



Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log and the AVG Anti-Spyware log.

Grtz,

Rosty.
Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

#3 Rosty

Rosty

    SWI helper

  • Visiting Fellow
  • PipPipPip
  • 413 posts

Posted 26 February 2007 - 10:38 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Want to help others? Join the ClassRoom and learn how.
Thank you for considering a Donation to What the Tech!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·