cant find away to del spyware using HijackThis
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: cant find away to del spyware using HijackThis

  1. #1
    Senior Member
    Join Date
    Jun 2004
    Posts
    137

    Question cant find away to del spyware using HijackThis


    can you help me out guys my friend pc is infected by a spyware...
    I used SPYBOT, ADAWARE, AVG still there's a possible spyware cause when using the
    IE is not in good state.. well anyway i used the HIJACKTHIS GUYS...

    HERE'S WHAT IT SAY'S

    Logfile of HijackThis v1.97.7
    Scan saved at 2:57:59 PM, on 10/19/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://192.168.0.100:918
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binarie...1025_EN_XP.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...f4a58b0be0058e
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binarie...ce_5_EN_XP.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096083732811
    O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binarie...ce_7_EN_XP.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E80ABE49-F6F2-40F8-9D7D-2AB4AA5CBB03}: NameServer = 203.172.11.26,202.57.96.4


    CAN YOU HELP ME OUT GUYS!!!!

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Please tell your friend that if they persist in running unpatched systems this will happen

    1. Get a firewall. As you friend does not seem very experienced I would try ZoneAlarm. Set all settings to high. That will give you adequate protection whilst you are doing the rest.

    2. Update Spybot, AdAware and your AV and run them all in safe mode (F8 on boot up).

    3. Go to the Microsoft site (use Windows Update) and update your WinXP and Internet Explorer. That should fix your IE problems. It should be at least at SP1 (6.00.2800.1106), yours is: (6.00.2600.0000) which is way out of date.

    4. Get HijackThis v1.98 and run it again.

    5. Try using a different browser.............Mozilla 1.7, Mozilla Firefox, Opera or whatever. You will have to use IE for some tasks like updating Windows, but for day to day use it is safer to use something else.

    Good luck.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Ouch! this boy's eat up with it. Just happens I learned through trial and error the other day when I tried to find and download a dvd player/decoder and wound up with 5 different kinds of spyware installed along with the one player that actually worked - even with hijack this cleaning in safemode, on reboot the spyware would just return. Here's how I fixed it -

    After cleaning up in safe mode with spybot and hijack this, on a whim I ran msconfig. Sure enough, the spyware installer was in the startup section. Oops. That was kinda sloppy on the author's part, but to the average user it'd be enough to make him throw up his hands in disgust. I promptly removed it from startup, checked through the other ini files for anything related to it, and now the machine works just fine. The spyware is still on my machine somewhere I'm sure, but it cannot load and won't be started. I'm still in 'agreement' with the licensing agreement that came with the player that said I had to install this and that spyware, because it *is* still here, and *is* still installed - it's just rendered inoperable.

    Hope that helps some.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    In addition to nihil's good advice..it's possible you have a CWS infection that either spybot or Adaware only partially cleaned up.


    This is only the first step:

    Put a checkmark next to the following entries in HijackThis. Make sure all
    other windows and browsers are closed before clicking on “Fix Checked”
    .

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...amp;ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
    O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll
    ***********************************************************

    Download and install APM from here:
    http://www.diamondcs.com.au/index.php?page=apm

    Now, start APM.
    In the upper window select explorer.exe
    In the lower window find and rightclick the O2 - BHO: entry from your HijackThis log.

    In the current log it is this file but it may have changed names.
    It is currently :

    O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll

    <--This file name

    It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.
    Select Unload DLL, and click OK on the prompts that follow.

    ***********************************************************

    Boot into SAFE MODE by tapping the f8 key during boot up.

    Run Adaware with the following options selected:

    • Configure Ad-aware
      • Click on the Gear-shaped icon at the top to open the Settings window.
      • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
      • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
      • Scanning Settings
        • Scan Within Archives
        • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
        • Scan Active Processes
        • Scan Registry
        • Deep Scan Registry
        • Scan my IE favorites for banned URL’s
        • Scan my Hosts file
      • Advanced Settings - Enable all four options under 'Log-file Detail level'
      • Tweak Settings
        • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
        • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
      • Click Proceed
    • Click on the 'Start' button in the lower right.
    • Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.
    • Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.
    • Close Ad-aware
    ==========================

    Reboot and post a new log using the updated version as nihil sugested.

  5. #5
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Don't forget to disable the System Restore (My Computer, Properties, System Restore, Turn off system restore.) before cleaning out the system.

    I've reinfections from this "protected area". Re-enable when "clean."

  6. #6
    ahhh another hijack this log, seen quite alot of these lately, spyware is on the rise, i use all of those and was introduced to webroot spysweeper, its legit program, just google for it and its free with current updates. it found more than ad-aware did. and has all kinds of shield programs running in the background to protect from more enterning, def agree with the firewall and the windows update.

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Don't forget to disable the System Restore (My Computer, Properties, System Restore, Turn off system restore.) before cleaning out the system.
    With all due respect, I would never recommend that step until after the infection is removed. If for some reason the user gets removal happy with HJT and ignores suggestions, then they have nothing to fall back on if the removal goes badly.

    Just my 2 bits.

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    137
    Thanks guys
    is there a possible way to block this spyware except using a firewall installed in your PC and using SPOYBOT,ADAWARe?

    any softwares or suggestions guys to protect yourself from this dangerous PARASITES theyre giving a headache dudE!!

  9. #9
    Update windows!
    in IE: Tools, Windows Update.

    That will prevent 90% of adware, responsible computing will take care of the rest.

  10. #10
    Senior Member
    Join Date
    Jun 2004
    Posts
    137
    ohh I seeee!!!
    Its that really simple....
    no other possible way ok fine whatever
    I think its just business .... so many little people will have ......
    ok thats enough
    I think you will not agree with ...

    ANYWAY THANKS A LOT !
    GOD BLESS YOU ALL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •