Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

Internet Hijackers

My problem is pretty much like a lot of other ppl on here.  I can't do a thing on my computer (while on the internet) without being redirected to an illegitimate search engine.  I have purchased and used so many different programs.  I have used spysweeper, Ad-Aware, Shredder, Hijack This, and just countless others for apparently no reason!!  I have coolwebsearch, super-spider, and some windowws blah blah blah id=all kinds of numbers.  I have even had so called technical support only for their suggestions not to work.  I have gone into my internet settings numerous times to delete and change things around.  This problem just will not go away.  It's ridiculous!  

I am curious if this has anything to do with my problem....

Months ago I had a different internet service provider from what I currently have.   I believe I received my spyware while I was using their service.  Well when I go on the ie now on the top bar where it says MIE provided by, it still has my old internet service provider as the provider even though I have deleted it in the internet connection options.  When I scan with hijack, etc.  I see that the provider is still on my computer even when I can't find it when I do a search on it.

At this point I am truly lost, and completely frustrated!!  Does spyware ever get to a computer so bad that it's just completely worthless to even bother anymore???

Help lol!
0
courtneylozar
Asked:
courtneylozar
  • 4
  • 3
  • 3
  • +3
3 Solutions
 
rossfingalCommented:
Hi!

Well, it certainly sounds like you have some problems.
Since you say you've run HijackThis, could you run it and post a log file here and we'll take a look at it.
Make sure before you run it that you have the option to "show all files and folders, including hidden and system, enabled.
Also, make sure all browser windows are closed.

Good luck!
RF
0
 
SheharyaarSaahilCommented:
Are u using WinME\XP ??
if YES then did u ever turned off ur System Restore before cleaning ur System, and did u run all those removal tools in safemode ??
if NO then do it this time,,,,, and then check if any progress ??

Also did u use the Latest version of hijackthis, i.e 1.98.2 ??
if NO then get it from here >> http://tools.radiosplace.com/HijackThis.exe
Download and run it, and save its LOG file,

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
Lobo042399Commented:
Hi Courtney,

In plain English, HijackThis is a very powerful tool that, if used incorrectly, can cause more damage than good to your machine. I would recommend the use of other tools and leave HijackThis alone for the moment. If you want to use it, however, before hitting the Fix button, make sure that every item in the list is something you did not install and/or you can recognize as part of the problem. If you're not sure about an item, do not check it.

Most hijackers these days are of the CWS (CoolWebSearch) type, or variations of it. A safer way to deal with most of those is by using CoolWebShredder. If that's what you meant by "Shredder" in your Question, then I would make sure that: You disabled System Restore before running it, and you ran it in Safe Mode. That can make a big difference in the result. If you did not mean CoolWebShredder, then you can download it from:

http://www.gatesofdelirium.com/ee/tools/

Make sure you update it before running it.

Manual removal instructions for Super Spider can be found at:

http://www.pestpatrol.com/pestinfo/s/super-spider.asp

Make sure you follow them to the letter. It is a good idea to make a printout of these instructions to keep handy.

Good Vibes!

Lobo
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
acmpCommented:
Just because I didn't see it above...

You don't need to worry about the 'Provided by' on your IE, it's just a string in the registry and won't affect anything at all.

The value is stored at 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\' just edit ro delete the 'Window Title' value.

hope this offeres some peace.

acmp<><
0
 
Lobo042399Commented:
Hi acmp,

I remember using that Registry Key to play a prank or two a on a friend while back. ;o)

Good Vibes!

Lobo
0
 
acmpCommented:
LoBo

Happy days eh!

acmp<><
0
 
courtneylozarAuthor Commented:
Thanks to all of you for your suggestions.  I very much appreciate it.  First..here is the log from the Hijack This scan I performed:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\REALTIME.EXE
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

NOw I followed your suggestions, and ran the programs I have in safe mode.  I also went to the suggested website to make sure the items I was thinking of deleting were "Nasty"  I deleted these nasty ones, and then restarted my computer.  I ran the Hijack this again, and they reappeared.  

Also...what is w32.HLL.Gaotc.:windows\system\system.exe  ---I have a few of these on my computer...they don't come off either.

0
 
SheharyaarSaahilCommented:
u still need to fix these lines !!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

and abt windows\system\system.exe, well it can be related to some trojan or worm..... so give a try to running Stinger in Safemode ==> http://vil.nai.com/vil/stinger

check if it comes up with anything or not ??
0
 
courtneylozarAuthor Commented:
Hello.  I ran the stinger, and nothing showed up.  I ran this and the hijack this in in safe mode, then restarted my computer.  Ran Hijack this again...and the ones you told me to remove are still there =/
0
 
SheharyaarSaahilCommented:
can u see this process >> O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
this is the culprit one, its related to Trojan.Win32.Krepper...... did u deleted it manually from ur machine ??

if NO then check here how to get rid of it >> http://www.pestpatrol.com/pestinfo/t/trojan_win32_krepper.asp
0
 
Lobo042399Commented:
Hi Courtney,

Contrary to what many believe (or try to make others believe) HijackThis is not a cure-all solution and it can cause a lot of damage if not used properly. Besides that risk, at EE we're trying to keep our databases free of the clutter caused by repeated posting of HJT Logs and are working on a general recommendation. These logs should only be posted after other solutions have been tried and then only when requested by a knowledgeable Expert. If you need it, you can get an online analysis of your HJT log at:

http://www.hijackthis.de/index.php?langselect=english

After that, we'll be glad to help with any other unresolved issues that may persist.

If you have identified a Trojan in your machine, you can download a 30-day trial version of Trojan Remover from:

http://www.gatesofdelirium.com/ee/tools/

Trojan Remover is a tool designed specifically to hunt down trojans and it's safe to use.

Good Vibes!

Lobo
0
 
BabuskaCommented:
A nice tool that I really llike is bazooka ;)  

http://www.kephyr.com/spywarescanner/index.html 

It's only a diagnostic tool, but that suits me perfectly. It's small and free, and they do provide info on how to remove the "pets".
0
 
Lobo042399Commented:
schplitters
0
 
acmpCommented:
I'm with Lobo

acmp<><
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now