need help with spyware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hazza07, Oct 4, 2004.

  1. hazza07

    hazza07 Private E-2

    a few days ago i think i was hijacked. Whenever i go into internet explorer, instead of my home page opening i get a site a-search.biz. I alos cant go forwar dor back from web pages and i cant click on links without the site coming up. Ive tried several scans etc including Ad-Aware, spybot
    s&d, about buster, kill2me, stinger and c cleaner. i only have windows 98 so shredder doesnt work. i followed the steps i.e in safe mode etc but i have had no success. I've done Hijack this but i dont have aclue what to delte. I looked at the page by chaslang but im really no good with computers and it doesnt make much sense to me.
    Help would be greatly appreciated
     
    hazza07, Oct 4, 2004
    #1
  2. jarcher

    jarcher I can't handle a title

    jarcher, Oct 4, 2004
    #2
  3. hazza07

    hazza07 Private E-2

    yes they're the steps that i went through before. Some of theprograms didnt work though but i did all i could that it asked.
     
    hazza07, Oct 4, 2004
    #3
  4. jarcher

    jarcher I can't handle a title

    jarcher, Oct 4, 2004
    #4
  5. jarcher

    jarcher I can't handle a title

    attach you hjt log as a .txt file
    and lets have a look
     
    jarcher, Oct 4, 2004
    #5
  6. hazza07

    hazza07 Private E-2

    Edit by chaslang: Inline log changed to an attachment.
     

    Attached Files:

    Last edited by a moderator: Oct 4, 2004
    hazza07, Oct 4, 2004
    #6
  7. jarcher

    jarcher I can't handle a title

    fix these


    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -{f760cb9e-c60f-4a89-890e-fae8b849493e}





    for next time
    when you click reply go advanced
    and scroll down to where it says manage attachments
    and and upload your logcile that is saved as a .txt file


    the second link I posted explains that and that you need to quit any application you can live without for awhile
    (i.e. tray items, explorer browsers etc.)

    then run hjt


    shut everithing you dont need right now and run it again
    if you dont know how to save it as a .txt, just ask
     
    jarcher, Oct 4, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Jarcher,

    For both WildTangent and P2P Networking, you should first look in Add/Remove programs for an uninstall. Usually one exists.
     
    chaslang, Oct 4, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would also suggest removal of Messenger Plus! 2 because it installs malware and LOP.

    I question whether these process and HJT lines are valid. We need to investigate what these are but I don't believe they are good:
    C:\WINDOWS\SYSTEM\DLHAPBPE.EXE
    C:\WINDOWS\SYSTEM\MSHELP32.EXE
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPA2C2.TMP
    O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\SYSTEM\mshelp32.exe
    O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\DLHAPBPE.exe



    Have HijackThis fix these 3 lines:
    O9 - Extra button: OzEmail - {19B51440-158C-11D5-BF45-A5D6B280723B} - http://www.ozemail.com.au (file missing) (HKCU)
    O9 - Extra button: Anzwers - {19B51441-158C-11D5-BF45-A5D6B280723B} - http://www.anzwers.com.au (file missing) (HKCU)
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -


    Questions:
    Are these your expect pages:
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.terra.es/personal8/robrimer/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal8/robrimer/search.html
     
    chaslang, Oct 4, 2004
    #9
  10. Kodo

    Kodo SNATCHSQUATCH

    Chas,
    the MSHELP32 is a RAT. Not sure about the other two but they do look sketchy..
     
    Kodo, Oct 4, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks Kodo! I was pretty sure of that.

    Hazza07,
    Here is what you need to do with these those lines:

    Make sure viewing of hidden files is enabled.
    Boot in safe mode.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if you see them):
    DLHAPBPE
    MSHELP32

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPA2C2.TMP
    O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\SYSTEM\mshelp32.exe
    O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\DLHAPBPE.exe

    Use Windows Explorer to delete the following files:
    C:\WINDOWS\TEMP\APPA2C2.TMP
    C:\WINDOWS\SYSTEM\DLHAPBPE.EXE
    C:\WINDOWS\SYSTEM\MSHELP32.EXE

    Boot in normal mode and let us know how things went and how your PC is working. Post another HJT log as a .txt file attachment (you did not do that correctly last time and I fixed it for you).
     
    chaslang, Oct 4, 2004
    #11
  12. hazza07

    hazza07 Private E-2

    thanks for the help. i have a couple of questions though.
    1. Windows explorer will not let me delete DLHAPBPE.exe it says that window is using it...
    2. do i run hijack this in safe mode or normal mode to delete the files you recommended?
    3. and when i press CTRL-ALT-DELETE in safe mode the only program is explorer. Where is processes? this may soyund stupid because im sure ive heard of it but im not very good with computers.
     
    hazza07, Oct 4, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For comment 1 above: That is why I said:
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if you see them):

    But I guess it is not showing with Win98 task manager. Use this program to find and kill the process instead: ProcessExplorer for Win 9x/Me


    For comment 2: If you follow the directions I told you when to go into safe mode and when to leave it
     
    chaslang, Oct 4, 2004
    #13
  14. hazza07

    hazza07 Private E-2

    thanks for your help everyone. I think its gone now although when i did the process explorer, DLHAPBPE wasnt there. All that was was Kernel32.DLL, MSGSRV32.EXE and MPREXE.EXE, and explorer etc. is there anything else i should do with that? there are two messenger plus! 2 ones one is a run services the other is just run. Ill attatch you a copy of the Hijack this log anyway.
     

    Attached Files:

    hazza07, Oct 5, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you try to use Add/Remove programs to uninstall Messenger Plus? If not please do so.
    Also while there you should uninstall P2P Networking. You probably got this from Kazaa or another file sharing program. Not a good idea to have this.
     
    chaslang, Oct 5, 2004
    #15
  16. hazza07

    hazza07 Private E-2

    okay thanks for your help, i thonk my computers fixed now. well its running normally at the moment.
    thankss heaps
     
    hazza07, Oct 5, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Oct 5, 2004
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds