[phirelite]

Hi my names archie and i have this left over spyware that i cant get rid of. the ovious signs of the spyware is that my part of my desk top has a blank screen and everytime i right click it it shows a url link, another obvios sign was that my internet explorer has theese tool bars that i never even installed and my home page is always saved to this one page that i never even set



heres the Hijack log


Logfile of HijackThis v1.99.1
Scan saved at 11:52:12 PM, on 3/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ssl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\winPE.exe
C:\WINDOWS\system32\svchop.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Common Files\AOL\1124312586\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124312586\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124312586\ee\AOLServiceHost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {054E30C5-AE0B-8C85-0A44-8BCAB9D1CAC1} - C:\WINDOWS\System32\ssol.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent217.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124312586\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [FSH] C:\WINDOWS\system32\svcnva.exe home
O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.2....chm::/html.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O21 - SSODL: mtklef - {AEA849FB-8F76-48E9-489B-B5D6E1715A01} - C:\WINDOWS\System32\jmdo32.dll
O21 - SSODL: mtklef - {AEA849FB-8F76-48E9-489B-B5D6E1715A01} - C:\WINDOWS\System32\jmdo32.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Hello and welcome..

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en

Do NOT install Service Pack 2 yet!!

Apply the update, reboot, and post back with a fresh HijackThis log.

Edited by Rawe, 03 March 2006 - 06:20 AM.

[Rawe]

Hello and welcome..

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en

Do NOT install Service Pack 2 yet!!

Apply the update, reboot, and post back with a fresh HijackThis log.

Edited by Rawe, 03 March 2006 - 06:20 AM.

[phirelite]

that computer does not have internet anymore, but is there any way that i can remove the malware??? and plus i cant install the service pack cuz it neeeds to be connected to the internet

Edited by phirelite, 03 March 2006 - 12:32 PM.

[Rawe]

Do you have another computer which has internet access? Because, well, we can't fix your system unless we have the needed tools.

[phirelite]

yeah this computer has

[Rawe]

I guess you could download XP SP1a with this computer, then burn the installer to a CD and then run it on the other machine.

[phirelite]

i cant do that cuz i have sp2 on this comp is there anyother way to remove the spyware on the other comp, cuz i know sp1 is mostly all about the i.e update and security update, maybe like a registry clean up or like deleting the main file that keeps installing the [bleep] icons on the desktop

[Rawe]

Well, that comp is definately BADLY infected. But, all I need to know if that PC has legal Windows copy?

Because, well, your service packs doesn't show on the log.. Which is odd, if you have SP2.

[phirelite]

it is a legal copy, it's a HP computer maybe thatss why

[Rawe]

Ok, then, let's get started. We need to download few tools in these first steps -- probably more in the next steps, so you will need empty CD's for burning.

==

I need you to install an Anti-virus program to the infected PC. Please do the following:

Please get free version of AVG here.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

==

After reboot..

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Please download the latest version of Ad-Aware SE Personal from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6.)

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1) Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

2) Set up the Configurations as follows:

• Click the Gear wheel at the top of the Ad-Aware window
  
• Click General > Safety & Settings: Check (Green) all three.
  
• Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

3) Click on "Proceed"
4) Click on "Scan Now"
5) Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6) Select "Search for low-risk threats"
7) Run the scanner using the Full Scan (Perform full system scan) mode.
8) When the scan has completed, select Next.
9) In the Scanning Results window, select the "Scan Summary" tab.
10) Check the box next to every "target family" for removal.
11) Click "Next", Click "OK".
12) Reboot.

==

Post back with a fresh HijackThis log.

[Rawe]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.