Worst Spyware, Scumware, Adware, Hijack

**KazaaBoy** · 07-08-2004, 04:06 AM

ok doing it right now after I log off.

Be back very soon...

**iMartin** · 07-08-2004, 04:33 AM

Originally posted by muchspl2@7 July 2004 - 20:50
http://www.spysweeper.com is the correct answer, and worst case get cwshreadder, but spysweeper should take care of it
p.s.
don't surf while logged in as admin

SpySweeper is great, much better than SpyBot and Adware I think. Latest full version is on SuprNova I think.

**KazaaBoy** · 07-08-2004, 04:37 AM

Ok I did what you suggested and it found some more tracking cookies and other spyware in safemode. Here is the logs you wanted,

=====================================================
-HijackThis Report-

StartupList report, 08/07/2004, 04:22:36
StartupList version: 1.52.2
Started from : G:\Documents and Settings\The One\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Documents and Settings\The One\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[G:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = G:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DSLAGENTEXE = dslagent.exe USB
ccApp = "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

warez = "G:\Program Files\Warez P2P Client\warez.exe" -h
Symantec NetDriver Monitor = G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

--------------------------------------------------

Shell & screensaver key from G:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - G:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Ipswitch.WsftpBrowserHelper - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - G:\PROGRA~1\FlashGet\jccatch.dll (file missing) - {A5366673-E8CA-11D3-9CD9-0090271D075B}
NAV Helper - G:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[Symantec RuFSI Utility Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[Update Class]
InProcServer32 = G:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8172.8495138889

[Shockwave Flash Object]
InProcServer32 = G:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

[{E36C5562-C4E0-4220-BCB2-1C671E3A5916}]
CODEBASE = http://www.seagate.com/support/disc/asp/to.../npseatools.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: G:\WINDOWS\system32\SHELL32.dll
CDBurn: G:\WINDOWS\system32\SHELL32.dll
WebCheck: G:\WINDOWS\System32\webcheck.dll
SysTray: G:\WINDOWS\System32\stobject.dll
System: G:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 4,930 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=====================================================

-CWShredder v1.40.2 scan only report-

Windows XP (5.01.2600 SP1)
Windows dir: G:\WINDOWS
Windows system dir: G:\WINDOWS\system32
AppData folder: G:\Documents and Settings\The One\Application Data
Username: The One

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] G:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com[*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com[*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com[*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com[*] dword:4
Found Win.ini file: G:\WINDOWS\win.ini (597 bytes, A)
Found System.ini file: G:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -

Picture of my Hijacked Start page in IE
Image Resized
[img]http://www.godsholyangels.com/regedit.JPG' width='200' height='120' border='0' alt='click for full size view'>

muchspl2 · 07-08-2004, 04:38 AM

thanks like I said, the latest spysweeper can beat it
but atleast hope he can beat it

**Jg427** · 07-08-2004, 04:46 AM

Please run hjt again. The scan button will change to a save log button, click that. It will save a log to notepad. Open the notepad log, select all and copy, paste it here.

The CWShredder report was a scan only report. Run it by clicking the fix button. Do this before the new hjt log.

**KazaaBoy** · 07-08-2004, 05:08 AM

Logfile of HijackThis v1.98.0
Scan saved at 05:15:54, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\MYIE2\MyIE.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ePrompter\ePrompter.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll

**Rip The Jacker** · 07-08-2004, 05:21 AM

Originally posted by KazaaBoy@7 July 2004 - 18:46
Well, I was looking through some serials for a software and BOOM.... My browser get's hijacked like hell.

Using Internet Explorer to browse a serial website? That is a big no-no.

**Jg427** · 07-08-2004, 05:55 AM

Make a new folder for hjt and place the hijackthis.exe inside it. Backup files will be saved there.

fix with hjt:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

if this is provided by your isp, it's ok , otherwise fix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134

Here is why it keeps coming back, fix:
O21 - SSODL: System - {A8176633-6957-4BCA-89FC-E2ED8F7496DB} - G:\WINDOWS\system32\system32.dll

Now delete this file:
G:\WINDOWS\system32\system32.dll

If you don't see it, try this first.
Show hidden files and folders.

Reboot and reset your web settings.
In IE > tools > internet options > programs
click " reset web settings"

Post a new hjt log.

**KazaaBoy** · 07-08-2004, 06:39 AM

Logfile of HijackThis v1.98.0
Scan saved at 06:42:31, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ISS\BlackICE\blackd.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
G:\WINDOWS\wanmpsvc.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\dslagent.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
G:\Program Files\ISS\BlackICE\blackice.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\The One\Desktop\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - G:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [warez] "G:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = G:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BlackICE PC Protection.lnk = G:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A5B4296-F73C-42D3-8C58-DE04DED60D7C}: NameServer = 195.93.51.134

=====================================================
I think that did the trick. This was the only trouble that I had with while every other spyware was deleted by Adware and Spybot. I guess when I was installing software I didn't realise the effect of it. When I had my Norton Personal Firewall, it had advertising blocking, script blocking and many other features. I can't download personal firewall 2004 as it won't let me access the internet even tho I tell it to. Looking at the log ^ do you think there any more problems?

Thanks again for your help

**Jg427** · 07-08-2004, 06:55 AM

Looks good to me, as long as nothing comes back.
If it does, we'll go another round.

Thread: Worst Spyware, Scumware, Adware, Hijack

Thread Tools

Bookmarks

Bookmarks

Posting Permissions