Only the Best and other hijacks

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Scaryduke, Jul 18, 2004.

  1. Scaryduke

    Scaryduke Private E-2

    Hey, bit of a newby at this, but copping home page hi-jacks and a lot of only the best pop adds. tried Ad-aware, Spy-sweeper and starting trying Hi-jack this. My log is attached. Can anyone help with what I should delete from the log below. Especially the O4's listed.
    Thanks heaps for any replies!

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqhwe.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqhwe.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mqhwe.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mqhwe.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqhwe.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqhwe.dll/index.html#37794
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9647685F-668D-744B-560A-B905B504CC73} - C:\WINDOWS\cree32.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [netmg32.exe] C:\WINDOWS\system32\netmg32.exe
     
  2. TheLastMessenger

    TheLastMessenger Private E-2

    We need you to run HJT correctly:
    Create a folder where you would like the HijackThis file to reside -- like Programs/HJT. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made.

    You should first click on the Config button and check the last four of the five boxes.

    At times when you post your log to a message forum asking for assistance, the people helping may ask you to generate a listing of all the programs that automatically start on your computer. HijackThis has a built in tool that will allow you to do this.

    You will then click on the button labeled "Generate StartupList Log". Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it with the new HJT log.

    First do these free online scans and post what it picked up, plus delete those that are found:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Second Step is to make sure you have all the SpywarePrograms below Downloaded and UPDATED.

    Then do this:
    Showing hidden files; follow step by step:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Disable System Restore:
    http://www.pchell.com/virus/systemrestore.shtml
    If you got 2000 -- don't worry about System Restore:
    http://www.cts.duq.edu/content_pages/students/s_virus/s_virus_xprestore.html

    Boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406/

    Try running AdAware in safe mode --- Make sure you've already gotten the latest UPDATES (Open, then press the Check for Updates button) and apply the following settings:
    This is where you get Adaware --- http://www.majorgeeks.com/download506.html
    This is a link on how to run it --- http://www.lavahelp.com/howto/fullscan/index.html --- Or You can use the instructions here:
    Click on Start -- custom scanning options -- Customize.
    Check the following settings:
    Scan within archives
    Scan active processes
    Scan registry
    Deep scan registry
    Scan my IE Favorites for banned URL
    Scan my host-file
    Click on Tweak:
    Select -- Scanning Engine
    Check "Unload recognized processes during scanning"
    Check "Include additional Adaware settings in LogFile"
    Select -- Cleaning Engine
    Check "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
    Then click "proceed" to save your settings.
    Click on Next then Scan. Everything AdAware finds is safe to delete.

    Run SpyBot Search and Destroy --- Make sure you have gotten the latest UPDATES (Open, then Search for Updates button)
    This is where you get SpyBot --- http://www.majorgeeks.com/download2471.html

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. You can also use Crapcleaner to help you clear out some stuff:
    This is where you get ccleaner --- http://www.majorgeeks.com/download4191.html

    Reboot

    Enable System Restore

    Run HJT and POST log --- Make sure you have the latest Updates/Versions (Open, Config, then MiscTools, and Check for Updates Online)
    This is where you get HJT --- http://www.majorgeeks.com/download3155.html

    There are also many other programs here that are very useful
    http://forums.majorgeeks.com/index.php?
     
  3. Scaryduke

    Scaryduke Private E-2

    OK, thanks for the direction. I will do this later today and get post a reply then. Thanks again for the help.
     
  4. Scaryduke

    Scaryduke Private E-2

    This was my startup file from HJT. I am now runnng trendmicro and panda as instructed. I will keep going through your instructions.
    StartupList report, 19/07/04, 16:20:37
    StartupList version: 1.52.2
    Started from : C:\STEPHENP\stuff\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\addvn32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Promon.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    C:\WINDOWS\system32\netmg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Office2K\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\STEPHENP\stuff\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
    World Time.lnk = C:\Program Files\World Time\worldtime.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    Synchronization Manager = mobsync.exe /logon
    Promon.exe = Promon.exe
    CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    WorkFlowTray = "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
    Opware14 = "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
    OpScheduler = "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
    PDF Converter Registry Controller = "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
    SSPrnAgent = C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    OP14 Reminder = "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
    netmg32.exe = C:\WINDOWS\system32\netmg32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\SPIDER~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\netum32.dll - {F985E118-14A8-36FC-B2DB-957E8D850A8F}

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 6,019 bytes
    Report generated in 0.813 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. Scaryduke

    Scaryduke Private E-2

    Ok, ran trend micro house call. Got 4 issues, which I then deleted. They were:
    TROJ RAHITOR.A Non Cleanable C:\Recycler\Long address (I have it if required)
    TROJ EMT.A Non Cleanable C:\WINDOWS\DHUpdt.exe
    TROJ AGENT.AU Non Cleanable C:\WINDOWS\eycaqr.dat
    TROJ EMT.A Non Cleanable C:\WINDOWS\iepl.exe

    I wasnt sure how to copy the message to post it. But that is it.
    Does this help?

    I am running Panda now.
     
  6. TheLastMessenger

    TheLastMessenger Private E-2



    O.K. Lets Delete all these -- when you boot in safe mode find and delete this -- C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    I'd also like to delete this --'C:\WINDOWS\system32\netmg32.exe' -- when we are in safe mode but I'm not sure about it, so I think will wait to see what Chaslang or some others might say -- for now we'll kill it in task manager and pop it out of start-up with the deletion of it in the 04 KEY in HJT.
     
  7. TheLastMessenger

    TheLastMessenger Private E-2

    Did you attempt to delete the files on Trendmicro scan??

    Anyway we're good.. Go on with that -- then run HJT and delete those files and then continue with the directions from the first post -- hidden files, running adaware, etc.
     
  8. Scaryduke

    Scaryduke Private E-2

    Hey, I have not had a chance to delete anything yet from the HJT log as you asked on your 2.10 message. But I did delete the Trojan items using tendmicro. I then ran panda (which found 0). Booted in safe mode (i have 2000 so i ignored the system restore bits). Then adaware and Spybot per the detailed instructions you gave. Cleaned out my temp files (although I didnt have crap cleaner - I might try this later). Rebaooted and ran both the startup list and HJT log. Both are below. I am reasonably sure addvn32.exe and netmg32.exe are problems and I tries to delete them in safe mode (well my spysweeper did and they kept recurring). And I am still getting hijacks of my home page.
    Appreciate your continuing help. Thanks heaps!
    Just tell me what to do now!

    Startup list:
    StartupList report, 20/07/04, 8:56:59
    StartupList version: 1.52.2
    Started from : C:\STEPHENP\stuff\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\addvn32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Promon.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    C:\WINDOWS\system32\netmg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\STEPHENP\stuff\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
    World Time.lnk = C:\Program Files\World Time\worldtime.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    Synchronization Manager = mobsync.exe /logon
    Promon.exe = Promon.exe
    CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    WorkFlowTray = "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
    Opware14 = "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
    OpScheduler = "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
    PDF Converter Registry Controller = "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
    SSPrnAgent = C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    OP14 Reminder = "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
    netmg32.exe = C:\WINDOWS\system32\netmg32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\SPIDER~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\netum32.dll - {F985E118-14A8-36FC-B2DB-957E8D850A8F}

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 6,174 bytes
    Report generated in 0.578 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    AND HJT LOG:

    Logfile of HijackThis v1.98.0
    Scan saved at 8:57:36 , on 20/07/04
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\addvn32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Promon.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    C:\WINDOWS\system32\netmg32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\STEPHENP\stuff\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afl.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afl.com.au
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {F985E118-14A8-36FC-B2DB-957E8D850A8F} - C:\WINDOWS\netum32.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
    O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
    O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
    O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
    O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [netmg32.exe] C:\WINDOWS\system32\netmg32.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
    O4 - Global Startup: World Time.lnk = C:\Program Files\World Time\worldtime.exe
    O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hrbl.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hrbl.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hrbl.net
     
  9. Scaryduke

    Scaryduke Private E-2

    Oh and just a note, still getting 'only the best pop up adds'. Gotta luv it.
     
  10. TheLastMessenger

    TheLastMessenger Private E-2

    Download these, read instructions, and run:
    http://www.majorgeeks.com/download4286.html
    http://www.majorgeeks.com/download4289.html

    Also make sure you are physically disconnected from the internet (unplug cables)
    Make sure your showing Hidden Files
    Search for these files in safe mode and right click them to see what they are related to--What turned up in last adaware -- it might have identified those two EXE's?
    addvn32.exe and netmg32.exe
    If it's no programs your familiar with delete them -- I'm pretty sure they can both go.

    Delete your temporary files
    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit -- Select All then Edit -- Delete to delete the entire contents of the Temp folder.
    Go to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit -- Select All then Edit -- Delete to delete all the contents of the Temp folder.

    Then go to Control Panel -- Internet Options. On the General tab under 'Temporary Internet Files' Click 'Delete Files'. Put a check by 'Delete Offline Content' and click OK. Click on the Programs tab then click the 'Reset Web Settings' button. Click Apply then OK.

    Also make sure you've removed any suspect programs
    Run Adaware/like directions below, with updates, with hidden files showing, etc-- delete all-- then post new HJT

    Then make sure you have all Windows Critical Updates:
    http://v4.windowsupdate.microsoft.com/en/default.asp
     
  11. Scaryduke

    Scaryduke Private E-2

    OK think I have done all of that.
    Still getting home page hijacks. Havent seen any popups yet.
    Below is my HJT log after reboot:
    Couple of points to note:
    - On reboot my machine hangs and I need to reboot again. On second go it is always OK. Looking at Task Manager it seems there a a lot of exe's trying to run but getting nowhere. I think this is why it hangs??
    - I have a piece of software called Webroot Spysweeper and I am assuming this is a safe piece of software. It was net-free so now I am atleast asking you about it. However it tells me everytime there is a home page hijack and changes it back for me. Since reboot it is also complaining about 3 startup programs my PC wants to run and advises me to kill them (which I cant - they keep coming back). They are winkl.exe, mfcgg.exe, ietv.exe. It used to flag addvn32.exe and netmg32.exe but I think through the process you gave me they have been cleared.
    Where do I go now?

    Logfile of HijackThis v1.98.0
    Scan saved at 6:05:47 , on 20/07/04
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\Promon.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    C:\WINDOWS\winkl.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\mfcgg.exe
    C:\STEPHENP\stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afl.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ndbzs.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.afl.com.au
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8F8E7CD7-AC98-0D54-B7CD-428BEE678846} - C:\WINDOWS\ntfm32.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
    O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
    O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
    O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
    O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
    O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [netmg32.exe] C:\WINDOWS\system32\netmg32.exe
    O4 - HKLM\..\RunOnce: [mfcgg.exe] C:\WINDOWS\mfcgg.exe
    O4 - HKLM\..\RunOnce: [ietv.exe] C:\WINDOWS\system32\ietv.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
    O4 - Global Startup: World Time.lnk = C:\Program Files\World Time\worldtime.exe
    O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hrbl.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hrbl.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hrbl.net
     
  12. TheLastMessenger

    TheLastMessenger Private E-2


    SpySweepers fine.
    Download ERUNT which is a registry backup program ----
    http://www.snapfiles.com/freeware/system/fwregtools.html

    -------------------------------------------------------------------------------------------------------------
    Then do this ---
    Show hidden files; follow step by step:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Now do CTRL+SHIFT+ESC, then click the Processes tab.
    In the list of running programs*, locate the malware file(s) detected earlier.
    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    Do the same for all detected malware files in the list of running processes.
    To check if the malware process has been terminated, close Task Manager, and then open it again.

    Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. --- Or just RIGHT click some open space on your desktop and click MakeShortcut, type regedit and there's your Registry editor.

    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
    In the RIGHT panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier or related files.
    Also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name with the path in the Windows folder. Delete this registry entry and the file it points to.

    Then also in Registry Editor find the following key in the LEFT panel and delete it --
    HKEY_CLASSES_ROOT\CLSID\{EE464803-E151-01B7-D731-06103A520BC2}
    Close Registry Editor.
    Search for these following files and delete them, if running in taskmanager - kill it first
    winkl.exe, mfcgg.exe, ietv.exe
    Also look for this -- SYSUPD.EXE which you might not find

    Do these free online scans and post what it picked up, plus delete those that are found:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Download Microsofts Critial Updates and Patches:
    http://v4.windowsupdate.microsoft.com/en/default.asp
     
  13. Scaryduke

    Scaryduke Private E-2

    Didnt do exactly as your last message said. But following most of what you have advised and.....appear to be free of all at the moment. Yay! Thanks heaps. Highly recommend using safe mode and HJT. Will be erecting monument in your honour today. I note that Spysweeper can be a bit of a trap as it detects when you change settings and often asks you if you want to change them back. I think on some occassions I was putting back the same stuff I was erasing with Ad-aware and HJT.
    Thanks heaps. Hope that stuff stays away.
    Major Geeks rule. And it did megahurt.
     
  14. TheLastMessenger

    TheLastMessenger Private E-2

    This is good. Still it would be nice to see another HJT this log to see if we're done. Glad it's going good though.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds