TheTechGuide Forum
General Category => Tech Clinic => Topic started by: helperdad on December 12, 2004, 12:59:47 AM
-
I can't figure out how to eliminate my computer bypassing my desktop with a black screen about spyware that opens up a web site topantispyware.com
Here is my Hijack file - please help.
thanks
Logfile of HijackThis v1.98.2
Scan saved at 10:50:12 PM, on 12/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HJT\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html (http://\"http://www.popupsearches.com/sidesearch.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople (http://\"http://www.sony.com/vaiopeople\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html (http://\"http://www.popupsearches.com/sidesearch.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab\")
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\wcua.exe
O16 - DPF: {11111111-1111-1111-1111-111111114457} - file://c:\ied_s7m.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/6/files.chm::/file.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_2_3_0.cab (http://\"http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...ireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/n...slv32_EN_XP.cab (http://\"http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab\")
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB (http://\"http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB\")
-
I see you have Spybot installed, good move
Ensure you have the latest version of Ad-aware also
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
If you don't have this verision,install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Don't run a Scan yet
Set Windows to Show Hidden Files and Folders (http://\"http://www.xtra.co.nz/help/0,,4155-1916458,00.html\")
You may want to print this out or save it to a notepad file on desktop
RESTART your computer into SAFE MODE
You can do this by tapping the F8 key on your keyboard as your system is rebooting
or go to START>>RUN>>type in msconfig and hit Enter
Under the Boot.ini tab put a check in Safeboot
Ok it and close it out
In safe mode find and delete these files or folders if they exist
C:\WINDOWS\System32\runsrv32.exe <--file
Stay in safe mode---Do another scan with Hijackthis and put a check next to these entries if they exist
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html (http://\"http://www.popupsearches.com/sidesearch.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html (http://\"http://www.popupsearches.com/sidesearch.html\")
O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\wcua.exe
O16 - DPF: {11111111-1111-1111-1111-111111114457} - file://c:\ied_s7m.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/6/files.chm::/file.exe
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/n...slv32_EN_XP.cab (http://\"http://akamai.downloadv3.com/binaries/IA/n...slv32_EN_XP.cab\")
After you have ticked the above entries, close down all other open windows, leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
Stay in Safe Mode and open Ad-Aware(ensure you checked for updates earlier)
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART back into Normal mode
Post back a fresh Hijackthis log and let me know if your having any problems
-
Hi,
I have had this problem and didn't know how or where it came from. After carrying out EVERY kind of spyware, malware, trojan etc check including hijack this, I still had the problem.
I have antivirus, firewall, anti spyware all running but still got the infection.
After follwing every thread I could find in forums I still could not get rid of it until I right clicked on the desktop and chose properties. This pointed to a file on the C drive in the "WEB" folder and a file in their called "desktop.html". After looking at this in notepad I could see the HTML for the page. I tried editing the HTML and saving the file. After restarting, it had gone from the desktop but displayed a grey background.
I then went to "CONTROL PANEL" - "DISPLAY" - and chose "desktop". I then clicked on "CUSTOMIZE DESKTOP" and then clicked on the "WEB" tab. In that was a box called "Security" that had a tick next to it. After unticking the box and restarting the PC the desktop had returned to normal.
Thanks guys for everyone who has posted something in these threads as I now have a very strong wall of protection on my PC after installing and running "HiJackThis", "Spybot", "Trojan Hunter" and "SpySubtract" oh and "SpyGuard" and "Spyware Blaster".
I advise running all of these and in SAFEMODE too. After it is all clear follow the above to get your desktop back and then turn SYSTEM RESTORE back on and hey presto............ everything is normal.
Thanks again.
-
Here's some additional information for removing this Nasty if anyone has this particular problem
This is supplied by Trend Micro
# Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
# In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Desktop>Components
# Still in the left panel, locate and delete the subkey:
0
# Close Registry Editor.
Using Windows Explorer, locate and delete the following files:
Do a search for the bolded files
• %Windows%\desktop.html
• %Windows%\SSICO.ICO
• %Root%\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
• %Root%\Documents and Settings\<current user>\Favorites\! Smart Security.url
• %Root%\Documents and Settings\<current user>\Recent\! Smart Security.url
• %Root%\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url
After that is done, Restart your computer
Post a Hijackthis log in this forum to get rid of any other nasties that may be present
Hope this helps
-
Excellent and THANK YOU again. Just done a search for these babies and found the HTML file in two locations and one of the URL files too.
I think and hope that all is now deleted and gone for good.
Thank you to all and everyone. This information should be included in
every anti-spy, malware site etc. I found only one page on GOOGLE.com when
searching for advice about this and then I used the term "remove topantispyware" to find the info that I found.
I am going to put a dedicated page on my site that contains the methods used here to help people who have this problem.
Thanks again.
-
The first thing one should do when they get bit by topantispyware is to FILE A COMPLAINT with www.ifccfbi.gov, tell them when you were infected and fill out the complaint form, let the FEDS nail these bums to the wall, their looking for hackers infecting systems. I just got infected so now I have to find a way to get rid of this crud.