Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
181 Posts
Discussion Starter · #1 ·
My dad has told me that IE was showing that it had spyware it had a different home page. I don't use IE, but I'd say someone clicked that pop up.
Its a random pop up, and my home page says its about:blank, but it loads another search engine.

Anyway, I ran spybot, and Adaware, then Hijack this. the page is still there, causing some services to start running in the background

Logfile of HijackThis v1.99.0
Scan saved at 3:04:01 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\iplg.exe
C:\WINDOWS\d3wc.exe
D:\Compressed Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\reram.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {90249E41-37D9-295E-6D52-9EF0209033A1} - C:\WINDOWS\system32\mskx32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Alias Wavefront Help Server - Unknown - C:\Software\Graphics\Maya5\docs\Wrapper.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\iplg.exe

startup programs running

MSConfig c:\windows\pchealth\helpctr\binaries\msconfig.exe /auto All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe DELL-JVKLDL176F\Dell HKU\S-1-5-21-1547161642-1580436667-1957994488-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
d3wc.exe c:\windows\d3wc.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini DELL-JVKLDL176F\Dell Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup

I unchecked about 7 programs that were running in the background, but when I open IE, 1 or 2 start running again. I have those two trusted sites on HijackThis that I can't get rid of. And I done a deep scan in Adaware, and it just seem to lock up. :confused:
 

·
Registered
Joined
·
49,014 Posts
You have no AV running

Do a couple online scans from this list

http://forums.techguy.org/t110854.html

Then get the free AVG 7 install it, check for updates and run a full scan

AVG http://free.grisoft.com/freeweb.php/doc/2/

SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do ALL of the above, boot and post a new log
 

·
Registered
Joined
·
181 Posts
Discussion Starter · #3 ·
Ok, I've done several scans with each.

AVG kept reporting a virus everytime I opened IE. I assume it was the webpage? Anyway, it reported several trojans and backdoor stuff. I sent that all to the vault.

I have the latest updates to Ad Aware prior to this topic, but I ran it anyway. Simple scan was fine, after a few attempts. I ran a deep scan early though before heading to school for a few hours, and Adaware had quit when I got home. I don't know what happened there.

Spybot I have, but I updated it anyway. Immunized everything. It doesn't show anything bad now.

SpyBlaster seems pretty neat. I checked everything in it so it will protect IE, and Firefox, which is what I use.

After running everything, I ran HijackThis a few times, deleted what wasn't there before. The only thing that keeps popping up with each scan is two trusted sites from crazywinnings.com I can't get rid of them. Now the log is comparable to my previous scan a few weeks ago, which was before my computer messed up.

I have AVG running in the background now. And with everything I've done, IE now opens up fine, and about:blank is back to being an actual blank screen. And I can switch it back to Google. Anyway, here is my log. How can I get rid of these two trusted sites?

Logfile of HijackThis v1.99.0
Scan saved at 10:38:35 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Software\APPLIC~1\AVG\avgcc.exe
C:\Software\APPLIC~1\AVG\avgamsvr.exe
C:\Software\APPLIC~1\AVG\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
D:\Compressed Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Software\APPLIC~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\Software\APPLIC~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
O23 - Service: Alias Wavefront Help Server - Unknown - C:\Software\Graphics\Maya5\docs\Wrapper.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 

·
Registered
Joined
·
49,014 Posts
download http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute then reboot your PC and post a fresh Hijack This log.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Also fix this using HJT

O23 - Service: Alias Wavefront Help Server - Unknown - C:\Software\Graphics\Maya5\docs\Wrapper.exe (file missing)
 

·
Registered
Joined
·
181 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.99.0
Scan saved at 11:37:48 AM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Software\APPLIC~1\AVG\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Software\APPLIC~1\AVG\avgamsvr.exe
C:\Software\APPLIC~1\AVG\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
D:\Compressed Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Software\APPLIC~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\Software\APPLIC~1\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top