Friend's HJT log. It's got me stumped...
Here's a HJT log of RyThom's machine. It's got soe funky HTML stuck in the bootup (which creates the active desktop you can see in the screenshot below), and clicking anywhere on the desktop takes you to a webpage which allows you to PAY to clean up their own spyware!
I've tried removing it with HJT in both safemode AND the safemode command prompt. It keeps reappearing no matter what I do.
Logfile of HijackThis v1.98.2
Scan saved at 1:11:54 AM, on 10/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ REMOVED] ] c:\WINNT\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ REMOVED] c:\WINNT\System32\ gSafeOnload[0] = window.onload;
O4 - HKCU\..\Run: [REMOVED ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="REMOVEDom/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINNT\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="htREMOVEDdserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [REMOVED20" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINNT\System32\REMOVED<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="REMOVED.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="hREMOVEDadserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINNT\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="link removed!!!"></iframe></noscript>
O4 - Startup: Folding@home 3.24.lnk = C:\Program Files\Folding@Home\winfah.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
See that image in the log? Yeah... thought so...
I've tried removing it with HJT in both safemode AND the safemode command prompt. It keeps reappearing no matter what I do.
Logfile of HijackThis v1.98.2
Scan saved at 1:11:54 AM, on 10/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ REMOVED] ] c:\WINNT\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ REMOVED] c:\WINNT\System32\ gSafeOnload[0] = window.onload;
O4 - HKCU\..\Run: [REMOVED ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="REMOVEDom/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINNT\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="htREMOVEDdserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [REMOVED20" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINNT\System32\REMOVED<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="REMOVED.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="hREMOVEDadserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINNT\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="link removed!!!"></iframe></noscript>
O4 - Startup: Folding@home 3.24.lnk = C:\Program Files\Folding@Home\winfah.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
See that image in the log? Yeah... thought so...
0
Comments
Dude, best way to do this is take the HD out, put it into another computer, and delete files on the HD.
You're going to want to look in the C:\WINDOWS\SYSTEM32 folder to see if you can find the file that's causing the javascript.
This is a totally new thing to me. I've never seen spyware that does this. I hope it's not a trend or the start of a new thing.....
I'm home right now, Brian, but I'll show your post to Rythom so he could try your idea.
I'm going to be upgrading my computer like crazy very soon, so when I do that, i'll just format and start from scratch. I couldn't believe they actually try to sell you a program to get rid of it though!
But for a good chuckle, check out the "engrish" on the wallpaper ;-)