Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Spy Wiper Hijacks

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived HijackThis Logs
View previous topic :: View next topic  
Author Message
Jeff
Guest
PostPosted: Mon Jan 26, 2004 10:32 pm    Post subject: Spy Wiper Hijacks Reply with quote
Can't seen to get rid of these Spy Wiper pop ups. So I've tried using advise posted by Suzi on 1/5/04, starting with Spybot, then Adaware followed by Hijackthis.

To recap problem, when I open Netscape it generates a program error (i use win2k pro). When I try IE, the 1st window says script error, activex component can't create object wmplayer, then 2nd window says Warning! if your cd drive is open you DESPERATELY NEED to rid your system of spyware popups, then 3rd window starts promotion of Spy Wiper download and the final window says Message from ISP consultant with a strong recommendation to install spyware removal. Only way i could access internet was by loading/running Mozilla.

Following is my hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 9:49:06 PM, on 1/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZoneLabs\MINILOG.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Program Files\hyjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/qry/myhome"); (C:\Documents and Settings\Jeff Noble\Application Data\Mozilla\Profiles\default\zofu0tmc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff Noble\Application Data\Mozilla\Profiles\default\zofu0tmc.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - Startup: ProCCS - PMR.lnk = C:\PNTTEMPL\ProMortgageTools\ProCCS\ProCCS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37928.4814930556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informativeresearch.webex.com/client/latest/support/ieatgpc.cab
O16 - DPF: {E922EBC9-50D4-4B53-B454-73376453E98D} (LOSActiveX.MainForm) - https://www.xpertonline.net/LosActiveX/LOSActiveX.CAB

Look forward to advice on which items can be deleted. Thanks, Jeff
Back to top
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 4080
Location: Illegitimus non carborundum
PostPosted: Mon Jan 26, 2004 10:45 pm    Post subject: Reply with quote
hello
i,m not the expert on these .but i see a few things that look supiscuse!
you might want to google on them or wiat for some one else to add to this
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe

i dont reconize these as normal. and i cant rember see them slated for removel in other hijack this postings. so caution is the word but if you copy each one seprately in a google sear (seprate searches) see if any thing comes up! Mad
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 08 Feb 2010
Posts: 10682
Location: sunny California
PostPosted: Mon Jan 26, 2004 11:46 pm    Post subject: Reply with quote
These definitely need to be removed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

There are 3 netscape settings there, the first one looks ok, but I'm not sure about the other two. Don't do anything yet though.

I think this one is ok:
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
_________________
Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
iceblue
Warrior Addict


Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 565
Location: Sydney
PostPosted: Tue Jan 27, 2004 5:05 am    Post subject: Reply with quote
Thats good work, guys...
These ones have to go.

Please close all windows explorer and browser windows;
and have Hjt fix checked these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informativeresearch.webex.com/client/latest/support/ieatgpc.cab

Reboot,
and check out your IE.
Repost if any drama persists,
or for a final lookover.
Have a nice day on the net!
Ice

Your system looks good - maybe add some prevention measures mentioned in these forums.
_________________
Smile Travel safely ! Smile
Back to top
View user's profile Send private message
Jeff
Guest
PostPosted: Tue Jan 27, 2004 10:27 am    Post subject: Reply with quote
Very Happy Thank you all for your help! I suspected the first 4 entries were the culprits but i needed confirmation. 016 should be ok as I recognize that one. Netscape was still a problem, but I just reinstalled 7.1 and all is well. Thanks again and have a nice day! Jeff
Back to top
iceblue
Warrior Addict


Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 565
Location: Sydney
PostPosted: Tue Jan 27, 2004 1:27 pm    Post subject: Reply with quote
Glad to hear it.

Those entries were indeed causing the browser redirects and the question remains how were these loaded onto your system.
Any ActiveX item removed will be reloaded when needed and that entry noted has been flagged as a bad download in the past.
No problem if that is indeed the case here.
Quote:
When I try IE, the 1st window says script error, activex component can't create object wmplayer

As pointed out here in this forum, SpywareBlaster will protect any system from bad ActiveX downloads. We prefer here to remove any offending entries and any likely cause of infection, and then point out an effective defence mechanism.

When time permits,
going through other items mentioned will help other people going Google searchs for legit items.

HP Photosmart printer driver
HPDJ Taskbar Utility =C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe= (this is the taskbar icon)
Mozilla does not attract the vast array of hijack problems of other browsers, and the Netscape entries always have that complex arrangement and randomstring user preference entry, such as

N3 - Netscape 7: user_pref("browser.startup.homepage", "wabu.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9gjsfy8s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9gjsfy8s.slt\prefs.js)

hope this helps,
and have a nice day on the net.
Ice
_________________
Smile Travel safely ! Smile
Back to top
View user's profile Send private message
Jeff
Guest
PostPosted: Thu Jan 29, 2004 11:17 am    Post subject: Reply with quote
Thanks for the info. After I cleaned up the entries I loaded both Spywareguard and Spywareblaster. I guess you can never have enough protection these days. Very Happy Jeff
Back to top
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived HijackThis Logs All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group