ok doing it right now after I log off.
Be back very soon...
Printable View
ok doing it right now after I log off.
Be back very soon...
SpySweeper is great, much better than SpyBot and Adware I think. Latest full version is on SuprNova I think.Quote:
Originally posted by muchspl2@7 July 2004 - 20:50
http://www.spysweeper.com is the correct answer, and worst case get cwshreadder, but spysweeper should take care of it
p.s.
don't surf while logged in as admin ;)
Ok I did what you suggested and it found some more tracking cookies and other spyware in safemode. Here is the logs you wanted,
=====================================================
-HijackThis Report-
StartupList report, 08/07/2004, 04:22:36
StartupList version: 1.52.2
Started from : G:\Documents and Settings\The One\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Documents and Settings\The One\Desktop\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[G:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = G:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DSLAGENTEXE = dslagent.exe USB
ccApp = "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
warez = "G:\Program Files\Warez P2P Client\warez.exe" -h
Symantec NetDriver Monitor = G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
--------------------------------------------------
Shell & screensaver key from G:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - G:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Ipswitch.WsftpBrowserHelper - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - G:\PROGRA~1\FlashGet\jccatch.dll (file missing) - {A5366673-E8CA-11D3-9CD9-0090271D075B}
NAV Helper - G:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
[Symantec RuFSI Utility Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
[Update Class]
InProcServer32 = G:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8172.8495138889
[Shockwave Flash Object]
InProcServer32 = G:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
[{E36C5562-C4E0-4220-BCB2-1C671E3A5916}]
CODEBASE = http://www.seagate.com/support/disc/asp/to.../npseatools.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: G:\WINDOWS\system32\SHELL32.dll
CDBurn: G:\WINDOWS\system32\SHELL32.dll
WebCheck: G:\WINDOWS\System32\webcheck.dll
SysTray: G:\WINDOWS\System32\stobject.dll
System: G:\WINDOWS\system32\system32.dll
--------------------------------------------------
End of report, 4,930 bytes
Report generated in 0.031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=====================================================
-CWShredder v1.40.2 scan only report-
Windows XP (5.01.2600 SP1)
Windows dir: G:\WINDOWS
Windows system dir: G:\WINDOWS\system32
AppData folder: G:\Documents and Settings\The One\Application Data
Username: The One
Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] G:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com[*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com[*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com[*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com[*] dword:4
Found Win.ini file: G:\WINDOWS\win.ini (597 bytes, A)
Found System.ini file: G:\WINDOWS\system.ini (231 bytes, A)
- END OF REPORT -
Picture of my Hijacked Start page in IE
Image Resized
[img]http://www.godsholyangels.com/regedit.JPG' width='200' height='120' border='0' alt='click for full size view'>
thanks like I said, the latest spysweeper can beat it
but atleast hope he can beat it
Please run hjt again. The scan button will change to a save log button, click that. It will save a log to notepad. Open the notepad log, select all and copy, paste it here.
The CWShredder report was a scan only report. Run it by clicking the fix button. Do this before the new hjt log.
Logfile of HijackThis v1.98.0
Scan saved at 05:15:54, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\MYIE2\MyIE.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ePrompter\ePrompter.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll
Using Internet Explorer to browse a serial website? That is a big no-no.Quote:
Originally posted by KazaaBoy@7 July 2004 - 18:46
Well, I was looking through some serials for a software and BOOM.... My browser get's hijacked like hell.
Make a new folder for hjt and place the hijackthis.exe inside it. Backup files will be saved there.
fix with hjt:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
if this is provided by your isp, it's ok , otherwise fix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134
Here is why it keeps coming back, fix:
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll
Now delete this file:
G:\WINDOWS\system32\system32.dll
If you don't see it, try this first.
Show hidden files and folders.
Reboot and reset your web settings.
In IE > tools > internet options > programs
click " reset web settings"
Post a new hjt log.
Logfile of HijackThis v1.98.0
Scan saved at 06:42:31, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134
=====================================================
I think that did the trick. This was the only trouble that I had with while every other spyware was deleted by Adware and Spybot. I guess when I was installing software I didn't realise the effect of it. When I had my Norton Personal Firewall, it had advertising blocking, script blocking and many other features. I can't download personal firewall 2004 as it won't let me access the internet even tho I tell it to. Looking at the log ^ do you think there any more problems?
Thanks again for your help ;)
Looks good to me, as long as nothing comes back.
If it does, we'll go another round. :P