Welcome Guest ( Log In | Register )

Bump TopicClosed TopicRSS feed Start new topic Start Poll

Outline · [ Standard ] · Linear+

> Spyware & Browser Hijack removal & links

sUBs
post Jul 24 2005, 09:16 AM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
QUOTE(Jayken @ Jul 24 2005, 08:57 AM)
hmm. can i ask more? what possible reason i may cause that messenger popup? windows problem? or?
*
Read up on it here > http://www.grc.com/stm/shootthemessenger.htm
Feel free to ask if still in doubt

sUBs
wakl
post Jul 27 2005, 06:19 AM

New Member
*
Group: Junior Member
Posts: 17

Joined: May 2005
Wondernig why my sent and receive the sent will more than the receieve ?? and i tried to use hijackthis spyware doctor etc to scan but nothing happen...
sUBs
post Jul 27 2005, 08:09 AM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
QUOTE(wakl @ Jul 27 2005, 06:19 AM)
Wondernig why my sent and receive the sent will more than the receieve ?? and i tried to use hijackthis spyware doctor etc to scan but nothing happen...
*
@wakl
I have already moved your post to a new thread. You know where it is. http://forum.lowyat.net/index.php?showtopic=180575

You already have a thread dedicated to your problem. Please do not post in this sticky.
lanroba
post Jul 29 2005, 01:21 AM

New Member
*
Group: Junior Member
Posts: 34

Joined: Jul 2005



Hye..

a friend of mine also have a pc which affected with spyware..pls help her
Her pc also running very slow (P4 2.8 ghz)

attached here with hijack this log and antispyware log for the pc:

1)Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 1:29:09 PM, on 28/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\Izzuddin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.184.94.19:3128
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpywareStopper] C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [1A2DFECE] C:\WINNT\system32\csl70nfg.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [8BCD3353] C:\WINNT\system32\aaamtmli.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: n8401.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122367453718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



2) antispyware log

Started Scanning
Internet Cookies
Found '2o7.net' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn'
Found 'http' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2'
Found 'Order' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn'
Internet URL Shortcuts
Files and Directories
Found 'GPInstall.exe' in 'C:\WINNT'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'GPInstall.exe' in 'C:\WINNT'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINNT\GPInstall.exe' in shortcut areas.
Checking for 'C:\WINNT\GPInstall.exe' in startup areas.
Cleaning 'C:\WINNT\GPInstall.exe'
Finished Cleaning

ty
sUBs
post Jul 29 2005, 12:16 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
sUBs ...coughing blood.. vmad.gif shakehead.gif

lanroba - click here < Post new topic > to start a new thread & post that log there.
sUBs
post Jul 31 2005, 02:09 PM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
QUOTE(lanroba @ Jul 31 2005, 01:42 PM)
how? click PM?
*
Hee..hee

Quite simple. Just go to this page > http://forum.lowyat.net/index.php?showforum=25
Locate & click the user posted image button. It's situated near the top & to the right hand side.

I'm not trying ot make life difficult for you. This is help you become more familiar with the forum's features so that you can be more of a regular member at LYF. tongue.gif


sUBs
sUBs
post Aug 5 2005, 03:25 AM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
Uninstall List - Add/Remove Programs

180 Solutions
180SAInstaller Class
180 Search Assistant
2020Search
404Search
411Ferret Toolbar
7FaSSt Search
The ABI Network- A Division of Direct Revenue (online uninstallation)
Active Alert
Ad Service
Advanced Search
AdvSearch
AdwareAlert
Alexa Toolbar
AM Server
ATP
autoSearch
B3d Projector
Bargain Buddy / Bulls Eye Network / CashBack / NaviSearch
BookedSpace
Browser Enhancer
BrowserAid
BrowserPal
Bulls Eye Network / CashBack / NaviSearch / Bargain Buddy
Cash Toolbar
CashBack / NaviSearch / Bargain Buddy / Bulls Eye Network
Chinese keywords
ClickTheButton
ClockSync
CommonName
Context Display
Cosmi
Cpr
CxtPls
DailyToolbar
Date Manager
DealHelper
DelFin Media Viewer / PgTools / PGate / DisplayUtility / DMVLite
Desktop Toolbar [WhenUSearch]
Download Receiver
DownloadWare
E2Give Browser Add On
Easy Search Bar
Ebates_MoeMoneyMaker
Elite SideBar
Elite ToolBar
eXact Search Bar
ezSearchBar
F1
FlashTrack Uninstall
flt
FreeScratchAndWin
FT Remove
FTApp
Fun Web Products Easy Installer
eXact Search Bar
eZula TopText
Gator eWallet
Go
GogoTools
Hotbar
Huntbar
Httper
Hyperlinker
IconForge
IE Helper
IE Menu Extension toolbar
IE Toolbar
IEDriver
IMZ
InetDoor
Internet 404 (internet connection is needed for removal)
Internet Optimizer
Internet Washer Pro
IPInsight
ISTBar
ISTSvc
iWon Plus
KeenValue
KeywordPlugin
Live 0n line Portal
LookSmart Search
L.O P. Uninsta11
Lycos Search
Lycos Sidesearch
masterbarHallmedia.net
MaxSpeed
mc
Media Access
Media Motor
MidADdle
MoreResults
Movie Viewer 2.1
MS AUpdate
MS Updates
mscman
MSIETS
MWSearch
My Way Speedbar
My Web Search
NavExcel Search Toolbar
Nav Helper
NaviSearch / Bargain Buddy / Bulls Eye Network / CashBack
Neo Technology Search Engine
Netpal Games
NewtonKnows
Oemji Toolbar
Onflow
Orbit
PeopleOnPage
PowerSearch Toolbar
PowerStrip
Precision Time
Preview AdService
POP
PuritySCAN
qidion - toolbar
Quick Browse ??
QuickSearch Toolbar
RapidBlaster
RelatedLinks
Rich Editor
RON Display
RSyncMon
RVP
SafeGuard
Save / WhenU Search / WeatherCast / ClockSync
Security IGuard
Search 2020
Search Assistant
Search Assistant Utility
Search Fast
Search Maid
Search Relevancy
Search Toolbar (internet connection is needed for removal)
Searchit - toolbar
SearchSquire
Select Cashback
ShopAtHomeSelect Agent
Shopping Community
Side Find
Side Search
SideStep
Slotchbar
Software Update Manager
supaseek - Toolbar
SuperBar IE Plugin
Surf SideKick 3
Surfairy
SysAI
TBPS
Tools for Internet Explorer (internet connection is needed for removal)
Toolbar - My toolbar
TopText
TSA
TV Media
Twaintech
UCmore
Ultimate Browser Enhancer
URL Display
VBRunDLL
Veevo
Virtual Maid
VVSN
WareOut
WAST
Web Offer
Web_Rebates
WebHancer
Web Toolbar
Web Tools by Hotbar
whazit tools
WhenU Search / Save / WeatherCast / ClockSync
WhileYouSurf
WinSrv Reg
wincomp
Windows SyncroAd
wintrim
WebSearch Toolbar (internet connection is needed for removal)
WebSearch Tools
Windows AdTools
Windows AFA Internet Enhancement
WinTools
Win-Tools Easy Installer (internet connection is needed for removal)
WSEM Update
XDiver
Your Site Bar
YuupSearch Toolbar
Zango
Zipclix
ZZ

lucifah
post Aug 24 2005, 12:02 AM

St. Fu
Group Icon
Group: Staff
Posts: 7,226

Joined: Jan 2005
From: Soviet Sarawak


sUBs:

i had one silly n00bie question here, about the eZula TopText. Removed it using search & destroy. even restarted the pc (as directed by S&D). the adware/spyware seems to be gone, but the directory in c:\program files still exists and cannot be deleted.

1. does this mean i am still infected? (thorough search + scan and no ezula running tasks in the services)

2. any way to remove the annoying files that end w/ *.tmp? i tried many software but still cannot remove the annoying drectory.

thanx

edit: problem 1 and 2 solved. my trust bitdefender deleted the *.tmp files, and thus letting me delete the annoying directory. however, new prob arises:

In the add/remove dialogue, the TOPTEXT, MYSEARCH and SEARCH ASSISTANT still exist.

1. does this mean I am still INFECTED?

2. can i just delete it from the registry entries manually?

3. any way to remove it w/o using registry edit?

edit : PROBLEM SOLVED. multiple software used to deal all this.

sheesh... just ONE wrong click, and i pent 2 hours cleaning each and every parasites... how did this happen? my 8 months w/o spyware record has been busted cry.gif

This post has been edited by lucifah: Aug 24 2005, 12:57 AM
sUBs
post Aug 24 2005, 12:29 AM

RIP
Group Icon
Retired Tech Support mod
Group: VIP
Posts: 3,941

Joined: Jan 2005
You should have uninstalled the programs with Add/Remove programs before allowing the antivirus to forcibly remove them. It may leave several orphaned entries in your Registry.

Try this first..

Download Trend Micro(tm) Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

It's quite good at removing such entries.

If that doesnt work, run HijackThis
Go to Config > Misc Tools - Open Uninstall Manager
Select the program & click "Delete this entry"

lucifah
post Aug 24 2005, 01:02 AM

St. Fu
Group Icon
Group: Staff
Posts: 7,226

Joined: Jan 2005
From: Soviet Sarawak


sUBs: problems all solved. thanx to your guides and tips.

time taken to be infected: less than 1 minute
time to clean: 2+ hours


here are the list of softwares that i've used:

1. BitDefender (the main s/w that alerted me 2 hours ago and stopped system wide infection)
2. Spybot Search & Destroy (sUBs recommendation)
3. Spyware Blaster (again, thanx to sUBs)
4. AdAware (long time forgotten s/ware tucked inside my hard drive)
5. RegCleaner (the registered version by the great Juno) thumbup.gif - this is used to delet all the annoying add/remove lists


identified spyware:

1. 180solutions
2. search assistant
3. my search
4. ezula toptext


This post has been edited by lucifah: Aug 24 2005, 01:03 AM
lex
post Aug 30 2005, 04:28 PM

Old Am I?
Group Icon
Group: Staff
Posts: 18,182

Joined: Jan 2005
From: Dagobah


LOP is a sneaky adware/spyware which I came across often before. It can infect both IE and Netscape/Mozilla as well, however only way it can enter your system is still thru IE (aka Idiot Exploiter). One it infects the system, your browser, desktop, explorer and search functions are hijacked. It also create/modify registry entries so that it can be used with Mozilla or Netscape. On some machines, especially those running older Windows ME operating systems, it randomly crashes the system.. usually causing Explorer crashes and illegal operations. mad.gif

Anyway, DO NOT trust the uninstaller tool from the creators of LOP themselves. Its better to get a 3rd party utility to clean out that pesky LOP. flex.gif
fariz
post Jan 16 2006, 10:12 AM

Tan Sri F
Group Icon
Group: Staff
Posts: 16,825

Joined: Jan 2003
From: Siberia


CWShredder or HijackThis closes immediately after opening?

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.

If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).
AsenDURE
post Jun 20 2007, 01:48 PM

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
Group: VIP
Posts: 2,496

Joined: Jan 2003
From: LowYatDotNet Status:Agast
QUOTE
TechNet On-Demand Webcast: Advanced Malware Cleaning
Learn from Mark how to use the Sysinternals tools to identify malware infestations, from standard spyware to kernel-mode rootkits, and clean them off your systems.


http://www.microsoft.com/emea/itsshowtime/...spx?videoid=359

he teaches you the functions of process explorer & autoruns to specifically to find and remove malware.

here are the slides

Attached File  Sysinternal__s_Mark_Russinovich___Advanced_Malware_Cleaning.zip ( 889.87k ) Number of downloads: 227


This post has been edited by AsenDURE: Jun 20 2007, 01:48 PM

Bump TopicClosed TopicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.0725sec    3.20    6 queries    GZIP Disabled
Time is now: 25th February 2018 - 10:08 AM