Can't fix O1 with Hijack This

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nhall, Jan 1, 2005.

  1. nhall

    nhall Private E-2

    I have gottened spammed with a lot of spyware.

    Have run Spybot, System Mechanic, Spy Sweeper, Ad-aware (althought it seem to get worse after running Ad-aware) and McAfee.

    I have used regedit to delete the values for a lot of the redirected sites I see popping up. But I do not understand if this actually does anything. Can I delete the line in my registry. I see a lot of lines in the domain section that I would like to be rid of.

    It has improved but I can't get rid of a few spyware. None of the above programs has been able to get rid of these.

    Mydietpatches
    Coolwww
    shareonline
    look2me
    search.netscape.com
    auto.search.com
    ieautosearch

    I have run Hijack this and have fixed a lot of the registry. I am not able to get rid of any of the O1 - Host file redirection. I think those are the biggest problems.

    A copy of my Hijack this log file is below. Can someone help me?

    Thank you


    Logfile of HijackThis v1.99.0
    Scan saved at 10:17:29 AM, on 1/1/2005
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\crypserv.exe
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINNT\System32\vyyvqg.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\system32\TBCTRAY.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\SYSTEM32\rundll32.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\NHALL~1.NOR\LOCALS~1\Temp\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\TBCTRAY.EXE
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://my.yahoo.com/
    O14 - IERESET.INF: MS_START_PAGE_URL=http://my.yahoo.com/
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alliant.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alliant.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alliant.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = alliant.com
    O23 - Service: Aluria Spyware Eliminator Service - Unknown - C:\Program Files\Aluria Software\ASE\ASEServ.exe
    O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
     
    nhall, Jan 1, 2005
    #1
  2. Novice

    Novice MajorGeek

    Several of your problems are apparent from looking at your file, but I prefer to wait for one of the more experienced forum members that deal with these problems daily. Any wrong advice/suggestions that I could give would probably make your problem worse. :)
     
    Novice, Jan 1, 2005
    #2
  3. TheDoug

    TheDoug MajorGeek

    These two, among a few others, are suspicious:

    C:\WINNT\System32\vyyvqg.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe

    You should go to the top of the Spyware forum and read the stickies about what steps to perform before posting a HijackThis log-- the first being don't post an unrequested log, especially inline-- the problem being that the web is saturated with posted HJT logs, so when you go to search a process name to see if it is indeed malware, you end up only wading through tons of other people's HJT logs.
     
    TheDoug, Jan 1, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    ALWAYS ATTACH LOGS TO YOUR POST AS AN ATTACHMENT. THIS LOG WILL BE DELETE. PLEASE FOLLOW ALL GUIDELINES!

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    bjgarrick, Jan 1, 2005
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds