Solved

Win XP Hijacked!

Posted on 2004-08-12
3
1,522 Views
Last Modified: 2013-11-16
You've all probably heard this a million times just today. I made the mistake of looking for download sites & got absolutely bombarded with viruses & every adware, & hijack trick in the book. I already had Spybot (latest version & definitions) installed, but this doesn't seem to have helped.

Anyway, I now have a number of suspicious .exe's on my hard drive & nasty looking entries in the Windows Registry.

I've read through some answers to similar questions, & following the advice found there, I have installed the following spyware programs.

SpyBlaster
SpyHunter (full version)
Ad-aware SE
Hijack this

In addition I have Norton Systemworks now installed & fully updated. I have carried out a full scan of my HDD & manually deleted all of the problem files it found, but there were still a number left that for some reason it will not let me remove?

I have run Spyhunter & Spybot & Ad-Aware & removed all problem files found by them

Finally, I have run Hijack This. Here is the report log:

Logfile of HijackThis v1.98.2
Scan saved at 10:11:35 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\iexplore.exe
C:\WINDOWS\ewywlz.exe
C:\WINDOWS\System32\gvmvpxn.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Internet Downloads\Utilities\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {49AD425E-C166-23CC-D525-66557EA47C48} - C:\WINDOWS\System32\pbo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\RECYCLER\S-1-5-21-725345543-343818398-1801674531-1004\Dc29\zSearch.dll (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [ylqapyfqj] C:\WINDOWS\System32\gvmvpxn.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [zSearch] C:\RECYCLER\S-1-5-21-725345543-343818398-1801674531-1004\Dc29\Zstb.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Ppmo] C:\Documents and Settings\User\Application Data\cloc.exe
O4 - HKCU\..\Run: [Wbil] C:\WINDOWS\System32\xaian.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/ffvg.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab


I still seem to have something on my computer that accesses the internet (DSL) & loads an advertising site

Can anyone help me with advice on what to remove from the registry using Hijack This??
Any other advice to help get rid of the little bastard gremlins!?

Thanks very much for taking the time to read this.

0
Comment
Question by:boostboy
3 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 11784300
Hello boostboy =)

First TURN OFF ur System Restore and then fix the following entries:

====================================================================
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {49AD425E-C166-23CC-D525-66557EA47C48} - C:\WINDOWS\System32\pbo.dll
O2 - BHO: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\RECYCLER\S-1-5-21-725345543-343818398-1801674531-1004\Dc29\zSearch.dll (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [ylqapyfqj] C:\WINDOWS\System32\gvmvpxn.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [zSearch] C:\RECYCLER\S-1-5-21-725345543-343818398-1801674531-1004\Dc29\Zstb.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Ppmo] C:\Documents and Settings\User\Application Data\cloc.exe
O4 - HKCU\..\Run: [Wbil] C:\WINDOWS\System32\xaian.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
=================================================================================
then.......

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto NMyComputer>Tools>Folder Options>View and tunr on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.


!! GOOD LUCK !!
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 11790000
To get into safe mode by the way press F8

Regards,

Hypoviax
0
 
LVL 3

Expert Comment

by:cduke250
ID: 11805672
If you are running windows XP then you are in a lot of luck bro~

The windows restore program automatically saves registry and other settings in a "snapshot" of your computer.  There are several "snapshots" available that let you restore old (working) settings.   Restoring an older snapshot does not delete any of your new files or change anything bad.  If I was you I would do this immediately and then run a thorough anti-virus program with the latest updates.  Here is a MO for you.
_________________________
| OPTIONAL PRE CHECKLIST |
+--------------------------------------------------------------------------------------------------+
Save ALL records in a specific spot like My documents/records/   You will have to go through the settings of the programs to do this.  This will greatly aid someone trying to help.

If you need a program but your PC doesnt connect to internet to download it, DL it on another PC and save to disk or burn to CD.  

Google for "vice trojan finder"  or find it at rootkit.com  

Find hijackthis at http://www.spychecker.com/download/download_hijackthis.html

AdWare is a REQUIREMENT for smooth pc operation.  find at zdnet and emule.

Use emule (zdnet.com) to find programs. (during setup you want to use the kad network too.)

Might need winrar (zdnet.com, winrar.com) to unpack and unzip files.  WinZip will not work for some of these files.

Don't use IE as your web browser.  Use netscape or USE FIREFOX!! THE BEST BROWSER"." www.mozilla.org
+--------------------------------------------------------------------------------------------------+

____________
| CHECKLIST |
+--------------------------------------------------------------------------------------------------+
1. Start -> Programs -> Accessories -> System Tools -> System Restore --> "Restore my computer to an earlier point" --> pick a date and go!

OPTIONAL
*** I would also go to  Start -> Programs -> Accessories -> System Tools -> Disk Cleanup --> delete temp files

2. Update any anti-virus programs you have.  Definately have and regularly use anti-virus programs (Zone alarm security suite, mcaffee, AdAware, hijackthis)!!! Zdnet.com

OPTIONAL -NOT RECOMMENDED -RISKY
**No budget? You can download emule at zdnet.com and search for a anti-virus product.  Scan it for viruses before unpacking(unzipping, unarchiving), scan while unpacking, and scan after unpacking.
-Risky because it could contain a virus or be a malware.  I have found most to be good however.  If you do download anti-virus product make sure you register and pay for it and update everything you can.

OPTIONAL
**Go to Start ->  Settings -> Control Panel -> Add Remove Programs --> Remove all uneeded and unused programs.  This will help all around PC performace.  

OPTIONAL
**Go to Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter --> "Analyse"  --> follow recommendation to defragment or not.  Our recommendation is to defrag no matter what.

3.  Scan your computer with the most advanced and long type of anti-virus detection availabe.  Peruse the settings and try looking for byte-level scanning or byte-heuristics..  Make sure you are scanning in archives as well.

4.  Run a full Adaware with updated definitions. (zdnet.com)

5. Run a full hijackthis.

6. Now try to access the Internet with your web browser.  Also try accessing the Internet by using Start-->run--> "command" --> type ping www.hotmail.com  ctrl-c stops pinging.  If it doesn;t work try pinging your working PC or your router.  
+--------------------------------------------------------------------------------------------------+


0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now