The evil windowws.com
Results 1 to 2 of 2

Thread: The evil windowws.com

  1. September 7th, 2004, 10:38 PM #1
    Adino
    Adino is offline
    Registered User
    Join Date
    Sep 2004
    Posts
    1

    Unhappy The evil windowws.com

    Help!
    My computer has been taken over by windowws.com and he brought along some friends that like to lodge themselves in my Favorites folder,
    again and again and again! I have tried Adaware, Noadware, Stinger, CWShredder, Spysweeper, Spybot and who knows what else?
    Any suggestions how I can restore my computer and my sanity?


    Logfile of HijackThis v1.97.7
    Scan saved at 8:18:15 PM, on 9/7/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\APPLICATION DATA\DMSC.EXE
    C:\WINDOWS\SYSTEM\OHYRZV.EXE
    D:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    C:\WINDOWS\WEBSHOTS.SCR
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SM56HLPR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    D:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\4LRLVJPVAI.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [Tehb] C:\WINDOWS\Application Data\dmsc.exe
    O4 - HKCU\..\Run: [Kti] C:\WINDOWS\SYSTEM\ohyrzv.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - HKCU\..\RunServices: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [Tehb] C:\WINDOWS\Application Data\dmsc.exe
    O4 - HKCU\..\RunServices: [Kti] C:\WINDOWS\SYSTEM\ohyrzv.exe
    O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\RunServices: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\RunServices: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...899.9387847222
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    Reply With Quote Reply With Quote
  2. September 8th, 2004, 07:30 AM #2
    NooNoo
    NooNoo is offline
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Welcome to Windrivers Adino

    Print out this list, then boot to safe mode - you are going digging in the bowels of windows. Do NOT reboot the machine until you have completed all the instructions here otherwise you will find yourself doing it all over again. Find the following files

    C:\WINDOWS\APPLICATION DATA\DMSC.EXE This seems to be part of a backup application - do you know if you have installed this? If you don't think you have then rename this one to dmsc.old

    C:\WINDOWS\SYSTEM\OHYRZV.EXE Delete this file.

    C:\WINDOWS\SYSTEM\MATRIXHERE.EXE follow these instructions this is part of a trojan.


    Start hijack while in safe mode and fix/delete the following entries.
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\4LRLVJPVAI.DLL

    O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe" Delete this file and fix the entry with hijack this.

    O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE << if you use msn internet access, ignore this one, otherwise delete and fix.

    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE

    Start hijack while in safe mode and fix the following entries.


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\4LRLVJPVAI.DLL




    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll how to remove this sucker

    O4 - HKCU\..\Run: [Tehb] C:\WINDOWS\Application Data\dmsc.exe
    O4 - HKCU\..\Run: [Kti] C:\WINDOWS\SYSTEM\ohyrzv.exe


    O4 - HKCU\..\RunServices: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\RunServices: [Tehb] C:\WINDOWS\Application Data\dmsc.exe
    O4 - HKCU\..\RunServices: [Kti] C:\WINDOWS\SYSTEM\ohyrzv.exe

    O4 - HKCU\..\RunServices: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE


    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab[/QUOTE]


    OK last things

    find the following folders and delete any and all files in them

    c:\temp
    c:\tmp
    c:\windows\temp
    c:\windows\tmp
    c:\windows\temporary internet files

    In the case of temporary internet files, you are going to lose both the good and the bad. You should reinstall google toolbar and you will have to login into websites thats previously remembered you.

    Finally empty the recycle bin and reboot to normal mode

    Go to norton update and see if it will.... if it won't uninstall it and reinstall it. Often norton gets disabled in some way during a malware/trojan attack.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Evil Dead Trilogy
    By Garak in forum Tech Lounge & Tales
    Replies: 15
    Last Post: December 5th, 2001, 01:47 PM
  2. Evil Dead Easter Eggs....for u Cobra
    By Radical Dreamer in forum Tech Lounge & Tales
    Replies: 16
    Last Post: May 12th, 2001, 09:05 AM
  3. [RESOLVED] Evil, Inc. is no more.
    By CobraTekMax in forum Tech Lounge & Tales
    Replies: 19
    Last Post: May 7th, 2001, 04:46 PM
  4. Jpbtennisman > Dr. Evil > Evil Disco Man
    By JungleMan1 in forum Tech Lounge & Tales
    Replies: 1
    Last Post: May 6th, 2001, 08:40 PM
  5. [RESOLVED] Help write the Evil, Inc. Anthem
    By mogul218 in forum Tech Lounge & Tales
    Replies: 35
    Last Post: May 6th, 2001, 01:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules