Truble with Hijacker!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

-LK-

Thread Starter
Joined
Oct 2, 2003
Messages
5
I have HiJackThis, and I keep deleting the browser hijacker with no name...

So, since it always is back when I restart, it must be something that executes on startup. Wich one of these is it? And can I delete some of them?

Logfile of HijackThis v1.95.1
Scan saved at 17:19:27, on 2003-10-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger Plus! 2\MsgPlus.exe
C:\Program\Winamp3\winampa.exe
C:\Program\QuickTime\qttask.exe
C:\Program\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\winsvchost.exe
C:\Program\SoftDisc\softdisc.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Degoo.com\surfbar.exe
C:\Babylon Install\Babylon\Babylon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\drivers\config\svchost.exe
C:\Program\SpamPal\spampal.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Outlook Express\msimn.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/startsite/startsite.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0D7DC475-59EB-4781-985F-A6F5D4E2BC73} - C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ac69e8a7-0e90-4440-8ca1-d9c5f069674e} - C:\DOCUME~1\GAREN~1\APPLIC~1\lyquoustsslth.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [CJPWGMT] C:\WINDOWS\CJPWGMT.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Task Manager] mstask.exe
O4 - HKLM\..\Run: [00winsvchost] C:\WINDOWS\System32\winsvchost.exe
O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32
O4 - HKLM\..\Run: [SoftDisc] "C:\Program\SoftDisc\softdisc.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
O4 - HKCU\..\Run: [Babylon Translator] C:\Babylon Install\Babylon\Babylon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpamPal.lnk = C:\Program\SpamPal\spampal.exe
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: Babylon.lnk = C:\Program\Babylon\Babylon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 

-LK-

Thread Starter
Joined
Oct 2, 2003
Messages
5
key, I figured it is these two:

O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32

Since

O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll

is the problem... And they both have reb69blabla in them. Right?
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
if it's there uninstall Degoo.com\surfbar from add/remove programs in control panel

run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked


O2 - BHO: (no name) - {0D7DC475-59EB-4781-985F-A6F5D4E2BC73} - C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll
O2 - BHO: (no name) - {ac69e8a7-0e90-4440-8ca1-d9c5f069674e} - C:\DOCUME~1\GAREN~1\APPLIC~1\lyquoustsslth.dll (file missing)
O3 - Toolbar: (no name) - {6E4BC43F-4B79-4619-881D-99B78C3DBD43} - C:\WINDOWS\System32\reb69df2.dll
O4 - HKLM\..\Run: [CJPWGMT] C:\WINDOWS\CJPWGMT.exe
O4 - HKLM\..\Run: [00winsvchost] C:\WINDOWS\System32\winsvchost.exe
O4 - HKLM\..\Run: [iedcb1f5] rundll32.exe C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll,EnableRunDLL32
O4 - HKLM\..\Run: [reb69df2] rundll32.exe C:\WINDOWS\System32\reb69df2.dll,EnableRunDLL32
O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
O4 - Startup: Trillian.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


then reboot & delete the following files or folders

C:\WINDOWS\System32\iedcb1f5\iedcb1f5.dll ....[iedcb1f5 folder]
C:\WINDOWS\System32\reb69df2.dll
C:\WINDOWS\System32\winsvchost.exe
C:\Program\Degoo.com\surfbar.exe ....[degoo.com folder]

then reboot &
download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then
Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.


then post a new hijackthis log to check
 

-LK-

Thread Starter
Joined
Oct 2, 2003
Messages
5
Although, I use the degoo surfbar, and it has (so far,) not caused any problems.. But does it cause other programs to run, appart from the surfbar itself?
 

-LK-

Thread Starter
Joined
Oct 2, 2003
Messages
5
I have both AdAware and SpyBot, but none of them finds hijackers, that's why I used HiJackThis, cause it always finds all the hijackers.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
i am not sure wiith degoo if it starts any other bars etc, but from what I can see in the blurb about it is that it is a form of spyware
and will definitely slow down your surfing by displaying ads

if you want to keep it then ignore the bits about surfbar
 

-LK-

Thread Starter
Joined
Oct 2, 2003
Messages
5
Okey, here's the new scan:

Logfile of HijackThis v1.95.1
Scan saved at 19:11:27, on 2003-10-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger Plus! 2\MsgPlus.exe
C:\Program\Winamp3\winampa.exe
C:\Program\QuickTime\qttask.exe
C:\Program\RealPlayer\RealPlay.exe
C:\Program\SoftDisc\softdisc.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Degoo.com\surfbar.exe
C:\Babylon Install\Babylon\Babylon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\drivers\config\svchost.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\ZoneAlarm\zapro.exe
C:\Program\SpamPal\spampal.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/startsite/startsite.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Task Manager] mstask.exe
O4 - HKLM\..\Run: [SoftDisc] "C:\Program\SoftDisc\softdisc.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Degoo.com Surfbar] "C:\Program\Degoo.com\surfbar.exe"
O4 - HKCU\..\Run: [Babylon Translator] C:\Babylon Install\Babylon\Babylon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpamPal.lnk = C:\Program\SpamPal\spampal.exe
O4 - Global Startup: Babylon.lnk = C:\Program\Babylon\Babylon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program\ZoneAlarm\zapro.exe
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
looks clear now, has the hijacker gone
 
Joined
Aug 18, 2003
Messages
2,438
You might also want to visit http://www.wilderssecurity.net/index.html and download the following:

SpywareBlaster v2.6.1
SpywareGuard v2.2

These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top