I’ve got some spyware that hijacked my home page, hijacks my browser when I get a “page not found,” and throws up random advertising windows. I ran Adaware and rebooted, but it’s still happening.
go to the following site and download CWS shredder, then update it, and run it. After that(on the same site), download the program hijack this and post the log file.
by the way, make sure you have updated ad aware and it is the latest version, which is 6.181 i believe.
Which site?
haha, i’m tired, sorry about that. anyway, after you run hijack this, post the log file.
Adaware is great stuff, but it doesn’t find everything. Spybot S & D is another piece of freeware which you can download and run together with Adaware. I find that they identify different things, and Spybot offers immunization for approximately 150 items.
the spybot immunization and detection are good, but the program has not had a signature update since march, which is really a problem. it can’t detect new threats yet, but the new version should be out this month.
I recently had a hijacking problem (toolbar ads appearing as Google search results), so I ran AdAware. When the scan found no spyware, I tried running Spybot Search and Destroy. It also said my computer was clean.
Finally I downloaded the demo version of SpySweeper, which found and eliminated the problems.
I wish one program would cover all the bases better. As it is now, I have to run at least two programs for a spyware check, because each detects different things.
My computer-savvy friends keep referring me to the “hijack this” program, but I find it too complicated for someone who’s just learning about the inner workings of a computer. YMMV.
you can post you log file of it and i will tell you what needs to be removed. if you are unsure about something, your best bet is to google it and see what it is.
Thanks for all your help, JC. Here’s my Hijack This log –
Logfile of HijackThis v1.97.7
Scan saved at 2:37:58 PM, on 5/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32
tvdm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NavNT\vptray.exe
\Citrine\apps\APPS\WinZip\81\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\wab.exe
C:\Palm\palm.exe
C:\Notes\NLNOTES.EXE
C:\Program Files\Hummingbird\Connectivity\8.00\Exceed\exceed.exe
C:\WINNT\system32\NALWIN32.EXE
C:\Palm\HOTSYNC.EXE
C:\Notes
aldaemn.EXE
C:\Notes
hldaemn.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\am5867\Desktop\Files\Anti-Spyware stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.bna.com
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM…\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU…\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Lotus Notes.lnk = C:\Notes
otes.exe
O4 - Startup: Internet Explorer.lnk = ?
O4 - Startup: Address Book.lnk = C:\Program Files\Outlook Express\wab.exe
O4 - Startup: Palm Desktop.lnk = C:\Palm\palm.exe
O4 - Startup: exceed.lnk = C:\Program Files\Hummingbird\Connectivity\8.00\Exceed\exceed.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = APPS\WinZip\81\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip…{DAA3356F-27AD-4A7F-8FA7-D85AA76DDE34}: NameServer = 149.79.138.1
Unfortunately, it’s quite difficult. CoolWebSearch mutates so often that the antispyware people have trouble keeping up with it. There are some versions that are incredibly difficult to clean up. In addition, other spyware keeps changes and being developed too fast to keep up with.
run hijack this again, check the folowing and hit fix. it will create backups if need be. as for the first one, i know that real player(if you allow if access to the internet at all times is responsible for ads). see the following link:
http://www.di-ve.com/dive/portal/portal.jhtml?pid=8150&id=8161#q8
after deleting restart the machine.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
O4 - Startup: Internet Explorer.lnk = ?
O17-HKLM\System\CCS\Services\Tcpip…{DAA3356F-27AD-4A7F-8FA7-D85AA76DDE34}: NameServer = 149.79.138.1
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
to prevent future infection:
go to the following link and download the hosts file which will block MANY known infections from occuring. put it in C:\Winnt\System32\Drivers\etc and back up your old file.
also, go here and download the experts package to block more malware from infecting you. http://www.spywareguide.com/blockfile.php
these are constantly being updated so check back perdiodically. hope the problem is cleared up.
also remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.bna.com
and missing link: http://webpages.charter.net/hpguru/hosts/hosts.html
Thanks so much for your help.
I’ll keep this one. It’s my company’s internal home page.
I’m supposed to delete this or insert it or something?
There’s actually a hosts file in my C:\WINNT\system32\drivers\etc folder called “hosts.” When I look at it in Notepad, it shows this –
But when I try to delete or change this, it reappears automatically.
Also, when I reboot, I get an error message saying that there are some files that have been modified and it asks for the Windows c.d. I wonder if this is the problem?
Which link would this be?
looks like the home page redirecting malware has edited you HOSTS file. boot into safe mode, delete this file, and then replace it with the one downloaded. as to the problems on startup, what does it say? does it specify a file? chacnes are you have a backp copy on the installation disk.
http://webpages.charter.net/hpguru/hosts/hosts.html
you can safely delete you old file
Try Adaware again, but instead of running the default option (“Perform smart system scan”), check “Use custom scanning options”, and select “Customize”, then check “Scan my IE favorites for banned URLs” and “Scan my hosts file”.
Make sure you are using Adaware 6.0, build 6.181, update 01R303 08.05.2004. If it is anything other than this version, it is not up to date, and won’t remove the latest variations.
I forgot to add, if adaware still fails to remove the IGetNet browser hijacker (which is what you have), here are the instructions to remove it by hand.