New User? Click here to register! Feel free to read this for beginners help.

Computer Cops
image image image image image image image image
Prime Choice
· Head Lines
· Dnld of the Week!
· Find a Cure!

· Ian T's (Article 12)
· Marcia's (Op9)
· Paul's (Article 3)

· Ian T's Archive
· Marcia's Archive
· Paul's Archive
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Security Central
· Home
· Wireless
· Bookmarks
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search
· Sections
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
Donations
image
Search

image
Survey
Which Anti-Virus product do you use?

Computer Associates
Eset (NOD32)
F-Secure
Frisk (F-Prot)
Grisoft (AVG)
Kaspersky
Network Associates (McAfee)
Panda
Sophos
Symantec (NAV)
Trend Micro
Other



Results
Polls

Votes: 9158
Comments: 85
image
Translate
English German French
Italian Portuguese Spanish
image
Hosted By
Computer Cops is a satisfied customer of [ JaguarPC ]
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

ive been highjacked

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Spyware - HijackThis
View previous topic :: View next topic  
Author Message
spywaresucks
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 3
Location: USA

PostPosted: Thu Mar 04, 2004 12:26 am    Post subject: ive been highjacked Reply with quote

i need help i cant get this rid of this stupid spyware for anything, ive used just about everything known to man to get rid of it. Every week it seems to be a new manifestation. One day it maybe searchv and the next its res://mshp.dll , ive tried everything to get rid of it but im afrait that it may have steped into the realm of worm or virus and beyond just a simple take over. This isnt my computer... cause it wouldnt have happend on mine.

here is the hijack log, i cant find anything i havnt already deleted once, besides the stuff that shouldnt be deleted, ive used ad-aware, cwschredder... everything even norton I NEED HELP

Logfile of HijackThis v1.97.7
Scan saved at 11:25:20 PM, on 3/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jonathan Cox\Desktop\HighjackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\Jonathan Cox\Application Data\ievh\ievh32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Jonathan Cox\Application Data\ievh\mssearch.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Jonathan Cox\Application Data\ievh\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.new,Install
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\BestBuy\HelpExpress\Jonathan Cox\HXIUL.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.new,Install
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x...DASAct.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/...=200331010
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...7594.29125
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Aut...dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Back to top
View users profile Send private message
bluedog
Security Expert
Security Expert



Joined: Dec 22, 2003
Posts: 177
Location: Australia

PostPosted: Sat Mar 06, 2004 5:56 am    Post subject: Reply with quote

Hi

Please download CWShredder from:
http://computercops.biz/downloads-cat-14.html

Unzip, Open CWShredder and click on the Fix button to find and fix any problems.

How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder.

Reboot Computer.

Close ALL browser Windows and Windows Explorer windows, only have HijackThis running.

In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" .

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\BestBuy\HelpExpress\Jonathan Cox\HXIUL.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/...=200331010

Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,
then press the "Enter" key)

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Then delete the below Folder:

C:\Program Files\BestBuy .....( delete BestBuy folder)

Reboot computer, and post back a new HJT log to this thread, please.

Cheers.


So how did I get infected in the first place?
http://www.computercops.biz/postt7736.html
.
Back to top
View users profile Send private message
spywaresucks
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 3
Location: USA

PostPosted: Sun Mar 07, 2004 1:07 am    Post subject: Reply with quote

thanks for the heads up ill have to wait till im at my dads next, just thought id let you know cause it may be a week
Back to top
View users profile Send private message
bluedog
Security Expert
Security Expert



Joined: Dec 22, 2003
Posts: 177
Location: Australia

PostPosted: Sun Mar 07, 2004 3:34 am    Post subject: Reply with quote

Not a prob,

..have a good week,
Cheers

Smile
Back to top
View users profile Send private message
spywaresucks
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 3
Location: USA

PostPosted: Wed Mar 17, 2004 9:13 pm    Post subject: so far so good Reply with quote

Well im at my dads and i did everything you said. It worked like a dream, as far as i can tell it is completely fixed! Thanks alot your awesome. Ill pass on what ive learned to others.
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Spyware - HijackThis All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8 © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops