cant find away to del spyware using HijackThis

[jin29_neci]

can you help me out guys my friend pc is infected by a spyware...
I used SPYBOT, ADAWARE, AVG still there's a possible spyware cause when using the
IE is not in good state.. well anyway i used the HIJACKTHIS GUYS...

HERE'S WHAT IT SAY'S

Logfile of HijackThis v1.97.7
Scan saved at 2:57:59 PM, on 10/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://192.168.0.100:918
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binarie...1025_EN_XP.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...f4a58b0be0058e
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binarie...ce_5_EN_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096083732811
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binarie...ce_7_EN_XP.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E80ABE49-F6F2-40F8-9D7D-2AB4AA5CBB03}: NameServer = 203.172.11.26,202.57.96.4


CAN YOU HELP ME OUT GUYS!!!!

[nihil]

Please tell your friend that if they persist in running unpatched systems this will happen

1. Get a firewall. As you friend does not seem very experienced I would try ZoneAlarm. Set all settings to high. That will give you adequate protection whilst you are doing the rest.

2. Update Spybot, AdAware and your AV and run them all in safe mode (F8 on boot up).

3. Go to the Microsoft site (use Windows Update) and update your WinXP and Internet Explorer. That should fix your IE problems. It should be at least at SP1 (6.00.2800.1106), yours is: (6.00.2600.0000) which is way out of date.

4. Get HijackThis v1.98 and run it again.

5. Try using a different browser.............Mozilla 1.7, Mozilla Firefox, Opera or whatever. You will have to use IE for some tasks like updating Windows, but for day to day use it is safer to use something else.

Good luck.

[|3lack|ce]

Ouch! this boy's eat up with it. Just happens I learned through trial and error the other day when I tried to find and download a dvd player/decoder and wound up with 5 different kinds of spyware installed along with the one player that actually worked - even with hijack this cleaning in safemode, on reboot the spyware would just return. Here's how I fixed it -

After cleaning up in safe mode with spybot and hijack this, on a whim I ran msconfig. Sure enough, the spyware installer was in the startup section. Oops. That was kinda sloppy on the author's part, but to the average user it'd be enough to make him throw up his hands in disgust. I promptly removed it from startup, checked through the other ini files for anything related to it, and now the machine works just fine. The spyware is still on my machine somewhere I'm sure, but it cannot load and won't be started. I'm still in 'agreement' with the licensing agreement that came with the player that said I had to install this and that spyware, because it *is* still here, and *is* still installed - it's just rendered inoperable.

Hope that helps some.

[groovicus]

In addition to nihil's good advice..it's possible you have a CWS infection that either spybot or Adaware only partially cleaned up.


This is only the first step:

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll
***********************************************************

Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entry from your HijackThis log.

In the current log it is this file but it may have changed names.
It is currently :

O2 - BHO: (no name) - {8FF39596-B202-46EB-9240-2E6EDCB018E7} - C:\WINDOWS\System32\kbnbg.dll
<--This file name

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.
Select Unload DLL, and click OK on the prompts that follow.

***********************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run Adaware with the following options selected:

• Configure Ad-aware
  • Click on the Gear-shaped icon at the top to open the Settings window.
  • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
  • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
  • Scanning Settings
    
    • Scan Within Archives
    • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
  • Advanced Settings - Enable all four options under 'Log-file Detail level'
  • Tweak Settings
    • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
    • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
  • Click Proceed
• Click on the 'Start' button in the lower right.
• Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.
• Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.
• Close Ad-aware

==========================

Reboot and post a new log using the updated version as nihil sugested.

[Mykol]

Don't forget to disable the System Restore (My Computer, Properties, System Restore, Turn off system restore.) before cleaning out the system.

I've reinfections from this "protected area". Re-enable when "clean."

[incideagent]

ahhh another hijack this log, seen quite alot of these lately, spyware is on the rise, i use all of those and was introduced to webroot spysweeper, its legit program, just google for it and its free with current updates. it found more than ad-aware did. and has all kinds of shield programs running in the background to protect from more enterning, def agree with the firewall and the windows update.

[groovicus]

Don't forget to disable the System Restore (My Computer, Properties, System Restore, Turn off system restore.) before cleaning out the system.

With all due respect, I would never recommend that step until after the infection is removed. If for some reason the user gets removal happy with HJT and ignores suggestions, then they have nothing to fall back on if the removal goes badly.

Just my 2 bits.

[jin29_neci]

Thanks guys
is there a possible way to block this spyware except using a firewall installed in your PC and using SPOYBOT,ADAWARe?

any softwares or suggestions guys to protect yourself from this dangerous PARASITES theyre giving a headache dudE!!

[Soda_Popinsky]

Update windows!
in IE: Tools, Windows Update.

That will prevent 90% of adware, responsible computing will take care of the rest.

[jin29_neci]

ohh I seeee!!!
Its that really simple....
no other possible way ok fine whatever
I think its just business .... so many little people will have ......
ok thats enough
I think you will not agree with ...

ANYWAY THANKS A LOT !
GOD BLESS YOU ALL