|
-
August 30th, 2004, 07:45 PM
#1
Thanks. I shot another one below...
Thouhgt we had this!
Home page is still getting reset. Have Rich downloading updates.
We did a HJT fix, but immediately got the deleted files back.
I must be doing something assinine to be missing this.
-
August 31st, 2004, 02:40 AM
#2
Registered User
Fix the entries while in safe mode. Also delete any files or folders related to it while still in safe mode. Then run Hijack This in safe mode still. Reboot normally and run Hijack This again. what you want to do is look at both logs and see if the infection came back after you rebooted. If so there may be a hidden dll there. If so I have some ideas for you. I will also talk to Merijn, a good friend of mine. He made Hijack This and CWShredder and will know if something isnt working right.
-
August 31st, 2004, 05:56 PM
#3
not there yet
Sill no Bingo.
Richard has run everything he can get his hands on with no success. I ran into a guy today who mentioned a "Host.JSP" ??? file?
Does that make sense?
-
August 31st, 2004, 07:43 PM
#4
richards new logfile
ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
Scan saved at 8:31:05 PM, on 8/31/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\NEGD.DAT
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = rr.com
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: GeekSuperheroBHO Class - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
.. keeps coming back. Attached hjt log
(SIC) "Courage is not the abscence of fear....it is the mastery of fear."
Samuel Clemmons/Mark Twain.
"It's just a short ride"...(Dad-rip) Life/Death.
"This too will pass away" ....(Dad) When things s***
-
September 1st, 2004, 04:29 AM
#5
Registered User
I am seriously amazed that CWShredder is not fixing this. I have not been able to get a hold of merijn yet as hes in university now. As soon as I can talk to him or someone else who knows ill get back to you. What I can suggest is posting this log on Http://forums.spywareinfo.com There are a lot of experts there that may know something we dont know.
-
September 2nd, 2004, 05:43 AM
#6
Driver Terrier
no need for that pugs, just because you don't have the answer.
-
September 2nd, 2004, 05:56 AM
#7
Driver Terrier
 Originally Posted by jstut
ran all suggested programs in safe mode, updated all , deleted temp files/
cookies. .Logfile of HijackThis v1.98.2
C:\WINDOWS\TEMP\ NEGD.DAT
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore: C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore: C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O9 - Extra button: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5ACAA515-6340-4501-9CF4-F587CB2A7AC8} - (no file)
O9 - Extra button: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {05BAF5B4-69CB-4A89-B460-C1237BDE6D92} - (no file)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
.. keeps coming back. Attached hjt log
OK, the two files shown in bold - find them and delete them in safe mode. If they won't delete you will have to get a 98 boot disk and do it in dos.
Geeksuperhero .... not heard of this but it's supposed to stop hijacks cold - have you used it? the last 3 tools here are useful Judging by the file missing entry for geeksuperhero, it may have been corrupted.
Exactly how did you delete your temporary internet files?
Did you check in
c:\temp
c:\tmp
c:\windows\temp
c:\windows\tmp
as well for temp files?
There is also a folder called c:\windows\downloads which may have stuff in it.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
September 3rd, 2004, 07:59 PM
#8
Thanks Pugs!!! I appreciate the assistance.
Thanks NooNoo I'll delve in.
PC is out for a couple of days....
Nuch Grats for your assistance.
-
September 9th, 2004, 10:04 AM
#9
Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.
-
September 9th, 2004, 10:18 AM
#10
Senior Member
Originally Posted by jstut
Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.
How about the teatimer add-on from Spybot? would that not prevent the registry update?
-
September 9th, 2004, 04:11 PM
#11
Registered User
Check what services are running. Either post them here or google for the ones you dont know of. WIth coolweb a lot of times there is a service that installs it again.
-
September 9th, 2004, 08:10 PM
#12
Originally Posted by Garak
How about the teatimer add-on from Spybot? would that not prevent the registry update?
Lost me there....teatimer?
-
September 10th, 2004, 09:25 AM
#13
Registered User
Originally Posted by jstut
Cleaned up for a while, but this thing keeps coming back.
Any suggestions?
Where else could this guy be coming from?
Running Zone Alarm, Spyguard, etc, but can't seem to stop the source form changing page.
Besides all the great suggestions you have recieved, have you tried This yet? The 30 day trial is a full version. I have run into this about:blank on quite a few clients lately. By using this and the other suggestions I have cleaned them up in about 10 - 20 minutes. Cheers.
-
September 18th, 2004, 03:12 PM
#14
Driver Terrier
Similar Threads
-
By jackpot316 in forum Spyware & Antivirus - Security
Replies: 99
Last Post: March 24th, 2005, 05:55 AM
-
By Talonboy in forum Windows XP
Replies: 6
Last Post: September 20th, 2004, 08:21 PM
-
By molo in forum Spyware & Antivirus - Security
Replies: 9
Last Post: August 7th, 2004, 05:31 AM
-
By Zonie in forum Spyware & Antivirus - Security
Replies: 6
Last Post: July 20th, 2004, 09:38 AM
-
By Rhiannon777 in forum Spyware & Antivirus - Security
Replies: 15
Last Post: April 2nd, 2004, 10:36 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks