Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser has been hijacked [CLOSED]

Started by slade_32 , Nov 23 2005 02:14 PM

  • This topic is locked This topic is locked

#1
slade_32
Posted 23 November 2005 - 02:14 PM

slade_32

    Member

  • Member
  • PipPip
  • 21 posts
Hello. My laptop appears to have been infected with some spyware. I've had a lot of pop-ups recently that I never had before, several adult links added to my favorites list, a new home page has taken over my browser and my system is running extremely slow. I've gone through the steps outlined in the "Start Here" section and it appears that much of the damage has been resolved. However, I still have some issues with my browser.

I am using an IBM ThinkPad and my OS is Windows 2000 Pro. My HiJack This log follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:11:16 PM, on 11/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {46639D99-7D26-7374-728A-4F6DBA585E76} - panel_its.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [wormexe] powerdll.exe
O4 - HKLM\..\Run: [qwe] RtlFindVal.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ntdll.dll] forces_elite.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [systemdll] borlandg.exe
O4 - HKCU\..\Run: [control64] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGFwdG9w\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements

#2
Trevuren
Posted 25 November 2005 - 07:03 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi slade_32 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Please DELETE your current HJT program from its present location.

2. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren
  • 0

#3
slade_32
Posted 25 November 2005 - 10:21 PM

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Trevuren. Thanks for your reply. I've done as instructed and re-ran the log. Here you go...

Logfile of HijackThis v1.99.1
Scan saved at 10:23:27 PM, on 11/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {46639D99-7D26-7374-728A-4F6DBA585E76} - panel_its.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [wormexe] powerdll.exe
O4 - HKLM\..\Run: [qwe] RtlFindVal.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ntdll.dll] forces_elite.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [systemdll] borlandg.exe
O4 - HKCU\..\Run: [control64] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGFwdG9w\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#4
Trevuren
Posted 25 November 2005 - 10:33 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===> Command Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:
  • Open HJT
  • Click on Config>>Misc Tools>>Delete an NT Service
  • Copy/Paste cmdService in the space provided and click OK
  • The program will ask you to REBOOT --- Accept
  • REBOOT into SAFE MODE
  • Using Windows Explorer, locate and DELETE the following file (if it still is present):

    C:\WINDOWS\TGFwdG9w<===Folder

  • REBOOT back into Normal Mode


B. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - URLSearchHook: (no name) - {46639D99-7D26-7374-728A-4F6DBA585E76} - panel_its.dll (file missing)
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile
    O4 - HKLM\..\Run: [wormexe] powerdll.exe
    O4 - HKLM\..\Run: [qwe] RtlFindVal.exe
    O4 - HKCU\..\Run: [ntdll.dll] forces_elite.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [systemdll] borlandg.exe
    O4 - HKCU\..\Run: [control64] Trayz.exe


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINNT\system32\popcorn72.exe
    powerdll.exe<==You will have to search for this one
    RtlFindVal.exe<==This one too
    forces_elite.exe<===And this one
    C:\Program Files\UnSpyPC<==Folder
    borlandg.exe<==Search for this one
    Trayz.exe<==And this one

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren
  • 0

#5
slade_32
Posted 27 November 2005 - 02:48 PM

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hello Trevuren. I've done as instructed and followed your instructions exactly. During the last step of your instructions, I was unable to find any of the files through Windows Explorer (popcorn72, powerdll.exe, etc.). Incidentally, I still have some interesting links in my favorite list. Otherwise things seem to be running better. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:40 PM, on 11/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\HJT\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#6
Trevuren
Posted 27 November 2005 - 02:56 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Make sure you are disconnected from the Internet and that all programs and windows are closed.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73

Close HiJackThis.

Now lets check some settings on your system.
  • Go to Start > Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties.
  • Click the Networking tab.
  • Double-Click on the Internet Protocol (TCP/IP) item.
  • Select the radio dial that says Obtain DNS Servers Automatically.
  • Press OK twice to get out of the properties screen and reboot if it asks.
Make sure to reboot and post back a new HiJackThis log into this topic.

2. You can now manually delete the favorites that you don't want

Regards,

Trevuren
  • 0

#7
Trevuren
Posted 08 December 2005 - 07:00 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP