Solved

Internet Hijackers

Posted on 2004-09-26
17
430 Views
Last Modified: 2008-02-26
My problem is pretty much like a lot of other ppl on here.  I can't do a thing on my computer (while on the internet) without being redirected to an illegitimate search engine.  I have purchased and used so many different programs.  I have used spysweeper, Ad-Aware, Shredder, Hijack This, and just countless others for apparently no reason!!  I have coolwebsearch, super-spider, and some windowws blah blah blah id=all kinds of numbers.  I have even had so called technical support only for their suggestions not to work.  I have gone into my internet settings numerous times to delete and change things around.  This problem just will not go away.  It's ridiculous!  

I am curious if this has anything to do with my problem....

Months ago I had a different internet service provider from what I currently have.   I believe I received my spyware while I was using their service.  Well when I go on the ie now on the top bar where it says MIE provided by, it still has my old internet service provider as the provider even though I have deleted it in the internet connection options.  When I scan with hijack, etc.  I see that the provider is still on my computer even when I can't find it when I do a search on it.

At this point I am truly lost, and completely frustrated!!  Does spyware ever get to a computer so bad that it's just completely worthless to even bother anymore???

Help lol!
0
Comment
Question by:courtneylozar
  • 4
  • 3
  • 3
  • +3
17 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 12157625
Hi!

Well, it certainly sounds like you have some problems.
Since you say you've run HijackThis, could you run it and post a log file here and we'll take a look at it.
Make sure before you run it that you have the option to "show all files and folders, including hidden and system, enabled.
Also, make sure all browser windows are closed.

Good luck!
RF
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12157813
Are u using WinME\XP ??
if YES then did u ever turned off ur System Restore before cleaning ur System, and did u run all those removal tools in safemode ??
if NO then do it this time,,,,, and then check if any progress ??

Also did u use the Latest version of hijackthis, i.e 1.98.2 ??
if NO then get it from here >> http://tools.radiosplace.com/HijackThis.exe
Download and run it, and save its LOG file,

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 17

Accepted Solution

by:
Lobo042399 earned 168 total points
ID: 12157966
Hi Courtney,

In plain English, HijackThis is a very powerful tool that, if used incorrectly, can cause more damage than good to your machine. I would recommend the use of other tools and leave HijackThis alone for the moment. If you want to use it, however, before hitting the Fix button, make sure that every item in the list is something you did not install and/or you can recognize as part of the problem. If you're not sure about an item, do not check it.

Most hijackers these days are of the CWS (CoolWebSearch) type, or variations of it. A safer way to deal with most of those is by using CoolWebShredder. If that's what you meant by "Shredder" in your Question, then I would make sure that: You disabled System Restore before running it, and you ran it in Safe Mode. That can make a big difference in the result. If you did not mean CoolWebShredder, then you can download it from:

http://www.gatesofdelirium.com/ee/tools/

Make sure you update it before running it.

Manual removal instructions for Super Spider can be found at:

http://www.pestpatrol.com/pestinfo/s/super-spider.asp

Make sure you follow them to the letter. It is a good idea to make a printout of these instructions to keep handy.

Good Vibes!

Lobo
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 6

Assisted Solution

by:acmp
acmp earned 166 total points
ID: 12163634
Just because I didn't see it above...

You don't need to worry about the 'Provided by' on your IE, it's just a string in the registry and won't affect anything at all.

The value is stored at 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\' just edit ro delete the 'Window Title' value.

hope this offeres some peace.

acmp<><
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12163866
Hi acmp,

I remember using that Registry Key to play a prank or two a on a friend while back. ;o)

Good Vibes!

Lobo
0
 
LVL 6

Expert Comment

by:acmp
ID: 12167145
LoBo

Happy days eh!

acmp<><
0
 

Author Comment

by:courtneylozar
ID: 12173713
Thanks to all of you for your suggestions.  I very much appreciate it.  First..here is the log from the Hijack This scan I performed:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\REALTIME.EXE
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

NOw I followed your suggestions, and ran the programs I have in safe mode.  I also went to the suggested website to make sure the items I was thinking of deleting were "Nasty"  I deleted these nasty ones, and then restarted my computer.  I ran the Hijack this again, and they reappeared.  

Also...what is w32.HLL.Gaotc.:windows\system\system.exe  ---I have a few of these on my computer...they don't come off either.

0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 166 total points
ID: 12173857
u still need to fix these lines !!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

and abt windows\system\system.exe, well it can be related to some trojan or worm..... so give a try to running Stinger in Safemode ==> http://vil.nai.com/vil/stinger

check if it comes up with anything or not ??
0
 

Author Comment

by:courtneylozar
ID: 12174244
Hello.  I ran the stinger, and nothing showed up.  I ran this and the hijack this in in safe mode, then restarted my computer.  Ran Hijack this again...and the ones you told me to remove are still there =/
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12174361
can u see this process >> O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
this is the culprit one, its related to Trojan.Win32.Krepper...... did u deleted it manually from ur machine ??

if NO then check here how to get rid of it >> http://www.pestpatrol.com/pestinfo/t/trojan_win32_krepper.asp
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12175974
Hi Courtney,

Contrary to what many believe (or try to make others believe) HijackThis is not a cure-all solution and it can cause a lot of damage if not used properly. Besides that risk, at EE we're trying to keep our databases free of the clutter caused by repeated posting of HJT Logs and are working on a general recommendation. These logs should only be posted after other solutions have been tried and then only when requested by a knowledgeable Expert. If you need it, you can get an online analysis of your HJT log at:

http://www.hijackthis.de/index.php?langselect=english

After that, we'll be glad to help with any other unresolved issues that may persist.

If you have identified a Trojan in your machine, you can download a 30-day trial version of Trojan Remover from:

http://www.gatesofdelirium.com/ee/tools/

Trojan Remover is a tool designed specifically to hunt down trojans and it's safe to use.

Good Vibes!

Lobo
0
 

Expert Comment

by:Babuska
ID: 12387705
A nice tool that I really llike is bazooka ;)  

http://www.kephyr.com/spywarescanner/index.html 

It's only a diagnostic tool, but that suits me perfectly. It's small and free, and they do provide info on how to remove the "pets".
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12589160
schplitters
0
 
LVL 6

Expert Comment

by:acmp
ID: 12591152
I'm with Lobo

acmp<><
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dropbox,Google Drive cloud system protection 2 86
Ransom.CRYPTXXX Activity 2 9 111
ransomware virus 21 109
Microsoft scam computer 10 77
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question