Solved

Internet Hijackers

Posted on 2004-09-26
17
425 Views
Last Modified: 2008-02-26
My problem is pretty much like a lot of other ppl on here.  I can't do a thing on my computer (while on the internet) without being redirected to an illegitimate search engine.  I have purchased and used so many different programs.  I have used spysweeper, Ad-Aware, Shredder, Hijack This, and just countless others for apparently no reason!!  I have coolwebsearch, super-spider, and some windowws blah blah blah id=all kinds of numbers.  I have even had so called technical support only for their suggestions not to work.  I have gone into my internet settings numerous times to delete and change things around.  This problem just will not go away.  It's ridiculous!  

I am curious if this has anything to do with my problem....

Months ago I had a different internet service provider from what I currently have.   I believe I received my spyware while I was using their service.  Well when I go on the ie now on the top bar where it says MIE provided by, it still has my old internet service provider as the provider even though I have deleted it in the internet connection options.  When I scan with hijack, etc.  I see that the provider is still on my computer even when I can't find it when I do a search on it.

At this point I am truly lost, and completely frustrated!!  Does spyware ever get to a computer so bad that it's just completely worthless to even bother anymore???

Help lol!
0
Comment
Question by:courtneylozar
  • 4
  • 3
  • 3
  • +3
17 Comments
 
LVL 12

Expert Comment

by:rossfingal
ID: 12157625
Hi!

Well, it certainly sounds like you have some problems.
Since you say you've run HijackThis, could you run it and post a log file here and we'll take a look at it.
Make sure before you run it that you have the option to "show all files and folders, including hidden and system, enabled.
Also, make sure all browser windows are closed.

Good luck!
RF
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12157813
Are u using WinME\XP ??
if YES then did u ever turned off ur System Restore before cleaning ur System, and did u run all those removal tools in safemode ??
if NO then do it this time,,,,, and then check if any progress ??

Also did u use the Latest version of hijackthis, i.e 1.98.2 ??
if NO then get it from here >> http://tools.radiosplace.com/HijackThis.exe
Download and run it, and save its LOG file,

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 17

Accepted Solution

by:
Lobo042399 earned 168 total points
ID: 12157966
Hi Courtney,

In plain English, HijackThis is a very powerful tool that, if used incorrectly, can cause more damage than good to your machine. I would recommend the use of other tools and leave HijackThis alone for the moment. If you want to use it, however, before hitting the Fix button, make sure that every item in the list is something you did not install and/or you can recognize as part of the problem. If you're not sure about an item, do not check it.

Most hijackers these days are of the CWS (CoolWebSearch) type, or variations of it. A safer way to deal with most of those is by using CoolWebShredder. If that's what you meant by "Shredder" in your Question, then I would make sure that: You disabled System Restore before running it, and you ran it in Safe Mode. That can make a big difference in the result. If you did not mean CoolWebShredder, then you can download it from:

http://www.gatesofdelirium.com/ee/tools/

Make sure you update it before running it.

Manual removal instructions for Super Spider can be found at:

http://www.pestpatrol.com/pestinfo/s/super-spider.asp

Make sure you follow them to the letter. It is a good idea to make a printout of these instructions to keep handy.

Good Vibes!

Lobo
0
 
LVL 6

Assisted Solution

by:acmp
acmp earned 166 total points
ID: 12163634
Just because I didn't see it above...

You don't need to worry about the 'Provided by' on your IE, it's just a string in the registry and won't affect anything at all.

The value is stored at 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\' just edit ro delete the 'Window Title' value.

hope this offeres some peace.

acmp<><
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12163866
Hi acmp,

I remember using that Registry Key to play a prank or two a on a friend while back. ;o)

Good Vibes!

Lobo
0
 
LVL 6

Expert Comment

by:acmp
ID: 12167145
LoBo

Happy days eh!

acmp<><
0
 

Author Comment

by:courtneylozar
ID: 12173713
Thanks to all of you for your suggestions.  I very much appreciate it.  First..here is the log from the Hijack This scan I performed:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\REALTIME.EXE
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

NOw I followed your suggestions, and ran the programs I have in safe mode.  I also went to the suggested website to make sure the items I was thinking of deleting were "Nasty"  I deleted these nasty ones, and then restarted my computer.  I ran the Hijack this again, and they reappeared.  

Also...what is w32.HLL.Gaotc.:windows\system\system.exe  ---I have a few of these on my computer...they don't come off either.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 166 total points
ID: 12173857
u still need to fix these lines !!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XZS0P31VFW.DLL
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

and abt windows\system\system.exe, well it can be related to some trojan or worm..... so give a try to running Stinger in Safemode ==> http://vil.nai.com/vil/stinger

check if it comes up with anything or not ??
0
 

Author Comment

by:courtneylozar
ID: 12174244
Hello.  I ran the stinger, and nothing showed up.  I ran this and the hijack this in in safe mode, then restarted my computer.  Ran Hijack this again...and the ones you told me to remove are still there =/
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12174361
can u see this process >> O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
this is the culprit one, its related to Trojan.Win32.Krepper...... did u deleted it manually from ur machine ??

if NO then check here how to get rid of it >> http://www.pestpatrol.com/pestinfo/t/trojan_win32_krepper.asp
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12175974
Hi Courtney,

Contrary to what many believe (or try to make others believe) HijackThis is not a cure-all solution and it can cause a lot of damage if not used properly. Besides that risk, at EE we're trying to keep our databases free of the clutter caused by repeated posting of HJT Logs and are working on a general recommendation. These logs should only be posted after other solutions have been tried and then only when requested by a knowledgeable Expert. If you need it, you can get an online analysis of your HJT log at:

http://www.hijackthis.de/index.php?langselect=english

After that, we'll be glad to help with any other unresolved issues that may persist.

If you have identified a Trojan in your machine, you can download a 30-day trial version of Trojan Remover from:

http://www.gatesofdelirium.com/ee/tools/

Trojan Remover is a tool designed specifically to hunt down trojans and it's safe to use.

Good Vibes!

Lobo
0
 

Expert Comment

by:Babuska
ID: 12387705
A nice tool that I really llike is bazooka ;)  

http://www.kephyr.com/spywarescanner/index.html

It's only a diagnostic tool, but that suits me perfectly. It's small and free, and they do provide info on how to remove the "pets".
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12589160
schplitters
0
 
LVL 6

Expert Comment

by:acmp
ID: 12591152
I'm with Lobo

acmp<><
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
.locky virus 5 38
End Point Protection 11 70
McAfee 8.8 include subfolders not to scan 4 56
How Dangerous is TeamViewer right now? 4 317
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now