Computers| Computers |
|
09-17-2004, 11:44 PM
| #1 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
|  Help!Spyware hijacked my IE address bar Spyware attacked my PC and hijacked my IE address bar.Let me make it more clear. For some websites and especially yahoo mail, I constantly lie on the same default page http://www.windowws.cc/hp.htm?id=617. I was able to retrieve my homepage settings but this address bar problem is not resolved.I ran spybot,spysweeper,adaware and nothing seems to work. I am in dire need of your advise. ogfile of HijackThis v1.98.2 Scan saved at 10:42:37 PM, on 9/17/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\ScanPanel\ScnPanel.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Downloads\HijackThis.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\DVD Shrink\DVD Shrink 3.1.exe C:\WINDOWS\System32\imapi.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\kh6j1tgere5b.dll O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: winlogin.exe O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab O20 - AppInit_DLLs: vnim1nee2m16w.dll I fee that the BHO in the list is the killer.I remove it but it shows up again in the list. Sometimes deleting it seems to help me opening the sites but again comes back.The default webpage doesn't even let me go back. Please help. Thanks |
|  |
|
09-18-2004, 07:03 AM
| #2 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
| Thanks a lot for your reply. Surprsingly I somehow donot find the file by that name in the system32 directory.I have even tried to see if it is hidden.But no use. When I run hijackthis I see it again. Looking forward for your response Thanks |
|
| |
|
09-18-2004, 08:56 PM
| #3 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
| I am posting this log file after I uninstalled all the anti spywares I was using earlier. The BHo that I was pointing earlier is no longer seen.I see BHO with a different name in the logfile.I searched for it in WINDOWS/SYSTEM32 but couldn't find it. I even checked the show the hidden files. Please look at the log file and post your comments. Thanks in advance for all the help you are offering. Logfile of HijackThis v1.98.2 Scan saved at 7:20:10 PM, on 9/18/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=617 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=617 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\uor8nj2z0hu4.dll O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe O4 - Global Startup: winlogin.exe O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab O20 - AppInit_DLLs: vnim1nee2m16w.dll |
|
| |
|
09-18-2004, 09:52 PM
| #4 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
| I found that filename below 'data' by searching registry. I deleted it and then came back in normal mode to see that .dll missing. The log file below is posted. But the problem seems to be still there. I try to open a website and it still it goes to http://www.windowws.cc/hp.htm?id=617 which is the default webpage.Please advise Thanks Logfile of HijackThis v1.98.2 Scan saved at 8:47:39 PM, on 9/18/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\system32\svchost.exe C:\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=617 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=617 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - (no file) O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe O4 - Global Startup: winlogin.exe O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab O20 - AppInit_DLLs: vnim1nee2m16w.dll |
|
| |
|
09-18-2004, 10:00 PM
| #5 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
| I m able to delete the file even in normal mode from registry but it still comes back. The name in registry is 'default'. Please let me have ur comments Logfile of HijackThis v1.98.2 Scan saved at 8:58:21 PM, on 9/18/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\regedit.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=617 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=617 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=617 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\uor8nj2z0hu4.dll O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe O4 - Global Startup: winlogin.exe O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab O20 - AppInit_DLLs: vnim1nee2m16w.dll |
|
| |
|
09-19-2004, 01:25 AM
| #7 (permalink) |
| Newb Techie Join Date: Sep 2004
Posts: 7
| Thanks a lot for your help,Sir. But the problem still persists. I ran hijackthis and cwshedder in safe mode. Removed all the files that u suggested. Also removed the temp folder. When I come back in normal mode,I see the first window opens up my default page www.google.com but the second window changes to the same odd website. I m posting the reports before and after I opened IE.This time the BHO comes with a different name. Please advise. I appreciate for your time. Logfile of HijackThis v1.98.2 Scan saved at 12:18:13 AM, on 9/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\HijackThis.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O20 - AppInit_DLLs: 5le915tib7.dll After.... Logfile of HijackThis v1.98.2 Scan saved at 12:19:09 AM, on 9/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\notepad.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=617 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\8K80GC~1.DLL O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O20 - AppInit_DLLs: 5le915tib7.dll |
|
| |
 |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
