1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: I've been owned by various Spywares (hijack this)

Discussion in 'Virus & Other Malware Removal' started by OhNos111, Nov 25, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    Just yesterday, my internet stopped working on my PC. I know it's not my connection as Xbox live still works fine. I've run Adaware various times and it keeps finding the same spyware: CoolWebSearch (dealt with a varient of this before), HttpFilter, and Possible hijack attempt. It cleans them out and they just come right back. Every so often, a new one will apear even though I haven't gone online since the last sweep.

    The really weird thing is that this spyware screwed up my Task Manager. I can Ctrl-Alt-Delete, bring up the task manager but it will not be fully there. It is missing the tab to go to: processes, performance etc. so I can't see what is running in the backround. Truely weird. System Restores and Spysweeps do nothing.

    I'm at a loss. Any and all help would be appreciated.

    Oh yeah...attached is a screenshot of my messed up Task Manager.


    Here is the Hijack This log:

    Find all log:
     

    Attached Files:

  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Please do this:

    Click here to download FindNFix.

    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.

    Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     
  3. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    Ok...This is what I got.

    Hijack This log
    FindnFix log
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.



    Go here and download Ad-Aware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  5. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    New Hijack This Log

    FindnFix Log
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Do you know what this is?:

    O4 - HKLM\..\Run: [Clocks] RunDll32.exe OCpp.dll,SetClocks 429.75 369.00


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Security Agent.
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    If this service isn't there then skip this part and move on.

    Download Pocket Killbox from here:

    http://www.downloads.subratam.org/KillBox.zip

    Unzip the files to the folder of your choice.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on reboot. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\system32\scagent.exe

    C:\WINDOWS\httpfilter.dll

    C:\WINDOWS\httpfilter2.dll

    C:\WINDOWS\httpfilter1.dll

    C:\WINDOWS\System32\wmvdmod.exe


    Exit the Killbox.

    Next run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O2 - BHO: (no name) - {B31BB2AA-FCA3-448A-9718-278B636BC42A} - C:\WINDOWS\mindep.dll (file missing)

    O4 - HKCU\..\Run: [wmvdmod] C:\WINDOWS\System32\wmvdmod.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20e9126...ip/RdxIE601.cab

    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll


    Now restart your computer.

    Let the computer fully reboot and then restart again into safe mode:

    How to start your computer in safe mode

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  7. obyone

    obyone

    Joined:
    Jun 22, 2003
    Messages:
    39
    O4 - HKLM\..\Run: [Clocks] RunDll32.exe OCpp.dll,SetClocks 429.75 369.00

    OCpp.dll is a dll file for R3D Tweak; a video card overclocking utility.


    OK...did everything you asked but I couldn't get "Service Agent" to stop. It just returned an error. I've attached the error as a screenshot.

    I did everything else but I'm still getting the httpfilter and CWS:about. Here is the new Hijack this Log.

    FindnFix log
     
  8. obyone

    obyone

    Joined:
    Jun 22, 2003
    Messages:
    39
    oops..here's the error.

    BTW...My Task manager still looks like this.

    [​IMG]
     

    Attached Files:

  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Let's do this again! :eek:

    Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.



    Go here and download Ad-Aware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  10. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    I did exactly that and still came out with the httpfilter and CWS malwares.

    The last Hijack this Log is the most recent one, after the CWShredder and Adaware sweeps.
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Please post a current HJT scan.
     
  12. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    Hijack this:

     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Security Agent.
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    If this service isn't there then skip this part and move on.

    Click here to download Pocket KillBox.

    Unzip the files to the folder of your choice.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on reboot. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot and if you want to reboot now. Click No then OK on the next prompt. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\system32\scagent.exe

    C:\WINDOWS\httpfilter.dll

    C:\WINDOWS\httpfilter2.dll

    C:\WINDOWS\httpfilter1.dll


    Exit the Killbox.

    Next run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O2 - BHO: (no name) - {15F2721F-8B6E-4CF4-905F-9AFB3C2D311B} - C:\WINDOWS\mindep.dll (file missing)

    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll


    Restart your computer.
     
  14. OhNos111

    OhNos111 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    125
    OK...this is what I got.
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Fix this one:

    R3 - Default URLSearchHook is missing

    Restart to safe mode.

    How to start your computer in safe mode

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/300882