I've been hijacked

almac01almac01 Victoria, Australia
edited March 2005 in Spyware & Virus Removal
Hi,
Can someone help me remove Home Shopping and ZaZZer invasions?
I don't know where they came from.
Atteched is a log from HJT.

Thanks

almac01


Logfile of HijackThis v1.98.2
Scan saved at 6:03:55 PM, on 27/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Omniquad Total Security\MyPrivacy\mpsvc.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Omniquad Total Security\OPF\OPFSVC.exe
C:\Program Files\Omniquad Total Security\OPF\pfsvc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Omniquad Total Security\TScutyNT.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Omniquad Total Security\OPF\TSFrWal.exe
C:\Program Files\Omniquad Total Security\BHOsBlocker\TSBhoBk.exe
C:\Program Files\Omniquad Total Security\MyPrivacy\TSmpNT.exe
C:\Program Files\Omniquad Total Security\AntiSpy\TSAtiSy.exe
D:\Download\AntiVirus\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hww.melbpc.org.au/motd/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/index2.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Password Organizer - {C3DEA25E-A515-4B65-8760-AEE03089F1CD} - C:\Program Files\Omniquad Total Security\PasswordOrganizer\SIPPwdOrg.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: Password Organizer - {C3DEA25E-A515-4B65-8760-AEE03089F1CD} - C:\Program Files\Omniquad Total Security\PasswordOrganizer\SIPPwdOrg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Total Security] "C:\Program Files\Omniquad Total Security\TScutyNT.exe"
O4 - HKLM\..\Run: [TotalSecurityUpdate] "C:\Program Files\Omniquad Total Security\TSAtUdt.exe"
O4 - HKLM\..\Run: [PasswordOrganizer] C:\Program Files\Omniquad Total Security\RunTimePwdOrg.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Internet Setup] C:\DOCUME~1\Alan\LOCALS~1\Temp\tmpsetup.exe dofinish "E:"
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    You are using an outdated version of Hijackthis.
    Please download the current version of Hijackthis and post a new hijackthis log.

    http://www.short-media.com/download.php?d=245
  • almac01almac01 Victoria, Australia
    edited March 2005
    Hi Buckeye_Sam,
    I downloaded the latest HJT and here is the log

    Logfile of HijackThis v1.99.1
    Scan saved at 4:59:17 PM, on 29/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Omniquad Total Security\TScutyNT.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    C:\Program Files\Canon\BJPV\TVMon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\Program Files\Folding@Home\winFAH.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\Omniquad Total Security\MyPrivacy\mpsvc.exe
    C:\Program Files\Omniquad Total Security\OPF\OPFSVC.exe
    C:\Program Files\Omniquad Total Security\OPF\pfsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Folding@Home\FahCore_82.exe
    C:\Program Files\Omniquad Total Security\BHOsBlocker\TSBhoBk.exe
    C:\Program Files\Omniquad Total Security\MyPrivacy\TSmpNT.exe
    C:\Program Files\Omniquad Total Security\AntiSpy\TSAtiSy.exe
    C:\Program Files\WZCBDL Service\WZCBDLS.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Alan\LOCALS~1\Temp\Rar$EX00.060\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hww.melbpc.org.au/motd/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/index2.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Password Organizer - {C3DEA25E-A515-4B65-8760-AEE03089F1CD} - C:\Program Files\Omniquad Total Security\PasswordOrganizer\SIPPwdOrg.dll
    O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O3 - Toolbar: Password Organizer - {C3DEA25E-A515-4B65-8760-AEE03089F1CD} - C:\Program Files\Omniquad Total Security\PasswordOrganizer\SIPPwdOrg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [Total Security] "C:\Program Files\Omniquad Total Security\TScutyNT.exe"
    O4 - HKLM\..\Run: [TotalSecurityUpdate] "C:\Program Files\Omniquad Total Security\TSAtUdt.exe"
    O4 - HKLM\..\Run: [PasswordOrganizer] C:\Program Files\Omniquad Total Security\RunTimePwdOrg.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Internet Setup] C:\DOCUME~1\Alan\LOCALS~1\Temp\tmpsetup.exe dofinish "E:"
    O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Folding@Home 5.03.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Omniquad Total Security\PopupBlocker\PopupBlocker.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{828B1B24-0A6D-4E45-A461-8147DF5B3704}: NameServer = 192.168.1.254
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Omniquad MyPrivacy - Unknown owner - C:\Program Files\Omniquad Total Security\MyPrivacy\mpsvc.exe
    O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: OPFSVC - Unknown owner - C:\Program Files\Omniquad Total Security\OPF\OPFSVC.exe
    O23 - Service: Personal Firewall - Unknown owner - C:\Program Files\Omniquad Total Security\OPF\pfsvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe



    Thanks almac01 :scratch:
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    There's not much in your log.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O4 - HKLM\..\Run: [Internet Setup] C:\DOCUME~1\Alan\LOCALS~1\Temp\tmpsetup.exe dofinish "E:"


    Delete temp files

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the Recycle Bin.


    Reboot and post a new hijackthis log. Let me know what problems you are still having.
  • almac01almac01 Victoria, Australia
    edited March 2005
    Hi Buckeye_Sam,
    I found that what ever was happening was getting worse! :mad:
    I ended up with intermittent wireless connections along with other problems so in frustration, I re-formatted. So far, things seem to be clean but I will keep an eye on things I install. :confused:
    If I find the program which introduced these pests, I will let you know.
    Thanks for your help. :D

    almac01
This discussion has been closed.