1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Truble with Hijacker!

Discussion in 'Virus & Other Malware Removal' started by -LK-, Oct 2, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. -LK-

    -LK- Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    I have HiJackThis, and I keep deleting the browser hijacker with no name...

    So, since it always is back when I restart, it must be something that executes on startup. Wich one of these is it? And can I delete some of them?

    Logfile of HijackThis v1.95.1
    Scan saved at 17:19:27, on 2003-10-02
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program\USB Storage RW\shwicon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Messenger Plus! 2\MsgPlus.exe
    C:\Program\Winamp3\winampa.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\winsvchost.exe
    C:\Program\SoftDisc\softdisc.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\Degoo.com\surfbar.exe
    C:\Babylon Install\Babylon\Babylon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\Program\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\drivers\config\svchost.exe
    C:\Program\SpamPal\spampal.exe
    C:\Program\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Outlook Express\msimn.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\HiJackThis\HijackThis.exe
    C:\WINDOWS\system32\cidaemon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/startsite/startsite.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0D7DC475-59EB-4781-985F-A6F5D4E2BC73} - C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {ac69e8a7-0e90-4440-8ca1-d9c5f069674e} - C:\DOCUME~1\GAREN~1\APPLIC~1\lyquoustsslth.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\Coloreal\coloreal.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ccApp] "c:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [CJPWGMT] C:\WINDOWS\CJPWGMT.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Task Manager] mstask.exe
    O4 - HKLM\..\Run: [00winsvchost] C:\WINDOWS\System32\winsvchost.exe
    O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [SoftDisc] "C:\Program\SoftDisc\softdisc.exe" -hide
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
    O4 - HKCU\..\Run: [Babylon Translator] C:\Babylon Install\Babylon\Babylon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpamPal.lnk = C:\Program\SpamPal\spampal.exe
    O4 - Startup: Trillian.lnk = ?
    O4 - Global Startup: Babylon.lnk = C:\Program\Babylon\Babylon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  2. -LK-

    -LK- Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    key, I figured it is these two:

    O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32

    Since

    O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll

    is the problem... And they both have reb69blabla in them. Right?
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    if it's there uninstall Degoo.com\surfbar from add/remove programs in control panel

    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked


    O2 - BHO: (no name) - {0D7DC475-59EB-4781-985F-A6F5D4E2BC73} - C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll
    O2 - BHO: (no name) - {ac69e8a7-0e90-4440-8ca1-d9c5f069674e} - C:\DOCUME~1\GAREN~1\APPLIC~1\lyquoustsslth.dll (file missing)
    O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll
    O4 - HKLM\..\Run: [CJPWGMT] C:\WINDOWS\CJPWGMT.exe
    O4 - HKLM\..\Run: [00winsvchost] C:\WINDOWS\System32\winsvchost.exe
    O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32
    O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
    O4 - Startup: Trillian.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    then reboot & delete the following files or folders

    C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll ....[iedcb1f5 folder]
    C:\WINDOWS\System32\reb69df2.dll
    C:\WINDOWS\System32\winsvchost.exe
    C:\Program\Degoo.com\surfbar.exe ....[degoo.com folder]

    then reboot &
    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.


    then post a new hijackthis log to check
     
  4. -LK-

    -LK- Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Although, I use the degoo surfbar, and it has (so far,) not caused any problems.. But does it cause other programs to run, appart from the surfbar itself?
     
  5. -LK-

    -LK- Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    I have both AdAware and SpyBot, but none of them finds hijackers, that's why I used HiJackThis, cause it always finds all the hijackers.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    i am not sure wiith degoo if it starts any other bars etc, but from what I can see in the blurb about it is that it is a form of spyware
    and will definitely slow down your surfing by displaying ads

    if you want to keep it then ignore the bits about surfbar
     
  7. -LK-

    -LK- Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    5
    Okey, here's the new scan:

    Logfile of HijackThis v1.95.1
    Scan saved at 19:11:27, on 2003-10-02
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program\USB Storage RW\shwicon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Messenger Plus! 2\MsgPlus.exe
    C:\Program\Winamp3\winampa.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\RealPlayer\RealPlay.exe
    C:\Program\SoftDisc\softdisc.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\Degoo.com\surfbar.exe
    C:\Babylon Install\Babylon\Babylon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\drivers\config\svchost.exe
    C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program\ZoneAlarm\zapro.exe
    C:\Program\SpamPal\spampal.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/startsite/startsite.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\Coloreal\coloreal.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ccApp] "c:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Task Manager] mstask.exe
    O4 - HKLM\..\Run: [SoftDisc] "C:\Program\SoftDisc\softdisc.exe" -hide
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
    O4 - HKCU\..\Run: [Babylon Translator] C:\Babylon Install\Babylon\Babylon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpamPal.lnk = C:\Program\SpamPal\spampal.exe
    O4 - Global Startup: Babylon.lnk = C:\Program\Babylon\Babylon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program\ZoneAlarm\zapro.exe
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    looks clear now, has the hijacker gone
     
  9. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    You might also want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Truble Hijacker
  1. moundhousenv
    Replies:
    0
    Views:
    367
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169024

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice