spy ware. - Page 2

**_Ender_** · 09-11-2005, 03:43 PM

I booted into safe mod ran every spyware program I have installed and I'm still getting hijacked and have popups.

Here is the log from Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 2:48:02 PM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tacticalgamer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshmdtm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\sYfrcdlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

Please help, this is seriously pissing me off.

**CingularDuality** · 09-11-2005, 04:00 PM

Quote:

Originally Posted by _Ender_

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

Ugh, there's one problem...

**_Ender_** · 09-11-2005, 04:25 PM

Get right?

**CingularDuality** · 09-11-2005, 04:54 PM

Quote:

Originally Posted by _Ender_

Get right?

Yes, it's well known to be a carrier of spyware...

Maybe this will help?:
http://www.accs-net.com/smallfish/getrite.htm

**_Ender_** · 09-11-2005, 05:01 PM

o_O

I've never had a problem with get right though....

AzzMan · 09-11-2005, 05:05 PM

Apparently you do now.

perry · 09-11-2005, 06:29 PM

Eh, don't think Get Right is the cause of the problem, unless it brought trojans and worms along with it. Or maybe it's just one of the problems...

Quote:

Originally Posted by _Ender_

C:\Program Files\Common Files\Windows\services32.exe

This is probably W32/Rbot-MB, or another similar worm. http://www.sophos.com/virusinfo/analyses/w32rbotmb.html

Quote:

C:\Program Files\Common Files\services.exe

http://www.trendmicro.com/vinfo/viru...ROWT.A&VSect=T

Quote:

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

Probably Adware.Shorty - http://securityresponse.symantec.com...re.shorty.html Remove it.

Quote:

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe

Remove those two.

Quote:

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\sYfrcdlg.dll

Not sure what this is, but I don't think it's good. Remove those things I mentioned while in safe mode, delete the files if you can, reboot, run Hijack This while booted normally and post the log again.

**_Ender_** · 09-11-2005, 08:51 PM

If I reformat. Will I get rid of all of this crap?

AzzMan · 09-11-2005, 09:08 PM

I believe so, but in my opinion it would be easier simply not to.

**_Ender_** · 09-11-2005, 09:21 PM

A lot of that stuff doesn't appear when I'm in safe mode though.

**Vulcan** · 09-11-2005, 09:51 PM

you have to go into the registry for some of it. My guess is that it was cleaned then put back when you booted up into normal mode because a file was missed. Make sure you delete all your cookies, temp files and internet temp files as well.

CWshredder is your friend, google it and download it. you could reformat but this is common these days and you should probably arm yourself now and educate yourself.

**CingularDuality** · 09-11-2005, 09:57 PM

Quote:

Originally Posted by Vulcan

you could reformat but this is common these days and you should probably arm yourself now and educate yourself.

Bah... You should reformat at least once a year. I've only once been infected by anything malicious, and a reformat was much simpler than doing anything else...

perry · 09-11-2005, 10:14 PM

Quote:

Originally Posted by _Ender_

A lot of that stuff doesn't appear when I'm in safe mode though.

They may not be running, but it should at least be listed in the Hijack This window for you to remove. If not, remove them when booted normally and hope for the best.

I say to remove them in Safe Mode because lots of worms will add themselves right back in to the registry if you remove them. In Safe Mode, they generally won't be running so you should be able to remove them.

Reformatting will get rid of the crap.. but I like to beat the crapware instead of giving up

**Vulcan** · 09-11-2005, 10:51 PM

indeed once a year is good cing, i agree. However when spyware becomes problematic from something that you are trying to utilize (i.e. a website or program) you can easily lock it down and continue to use that website or program. I'm like perry though and i always go for the knowledge over format c:\

**_Ender_** · 09-12-2005, 03:48 AM

>_< I don't know what I did (I just ran the anti virus program from another thread) and that seemed to of deleted most of the stuff going on.

I am going to let it run over night (the anti virus program) to check again. Then run the 2 spy ware programs.

I want to thank you guys for your help and suggestions.

09-11-2005, 03:43 PM	#16 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. I booted into safe mod ran every spyware program I have installed and I'm still getting hijacked and have popups. Here is the log from Hijack this Logfile of HijackThis v1.99.1 Scan saved at 2:48:02 PM, on 9/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Windows\services32.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Common Files\services.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\James\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tacticalgamer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshmdtm.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\sYfrcdlg.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe Please help, this is seriously pissing me off.

09-11-2005, 04:25 PM	#18 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. Get right?

09-11-2005, 05:01 PM	#20 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. o_O I've never had a problem with get right though....

09-11-2005, 05:05 PM	#21 (permalink)
AzzMan Banned Join Date: May 2005 Location: Daytona Beach, FL Age: 17 Posts: 1,774	Re: spy ware. Apparently you do now.

09-11-2005, 08:51 PM	#23 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. If I reformat. Will I get rid of all of this crap?

09-11-2005, 09:08 PM	#24 (permalink)
AzzMan Banned Join Date: May 2005 Location: Daytona Beach, FL Age: 17 Posts: 1,774	Re: spy ware. I believe so, but in my opinion it would be easier simply not to.

09-11-2005, 09:21 PM	#25 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. A lot of that stuff doesn't appear when I'm in safe mode though.

09-11-2005, 09:51 PM	#26 (permalink)
Vulcan Join Date: Jan 2005 Location: Montreal Age: 30 Posts: 7,574	Re: spy ware. you have to go into the registry for some of it. My guess is that it was cleaned then put back when you booted up into normal mode because a file was missed. Make sure you delete all your cookies, temp files and internet temp files as well. CWshredder is your friend, google it and download it. you could reformat but this is common these days and you should probably arm yourself now and educate yourself. __________________ TG Primer - CSS SOP's - INS SOP's

09-11-2005, 10:51 PM	#29 (permalink)
Vulcan Join Date: Jan 2005 Location: Montreal Age: 30 Posts: 7,574	Re: spy ware. indeed once a year is good cing, i agree. However when spyware becomes problematic from something that you are trying to utilize (i.e. a website or program) you can easily lock it down and continue to use that website or program. I'm like perry though and i always go for the knowledge over format c:\ __________________ TG Primer - CSS SOP's - INS SOP's

09-12-2005, 03:48 AM	#30 (permalink)
_Ender_ Join Date: May 2003 Location: I am lost, if you know where I am then please feel free to tell me. Age: 29 Posts: 2,048	Re: spy ware. >_< I don't know what I did (I just ran the anti virus program from another thread) and that seemed to of deleted most of the stuff going on. I am going to let it run over night (the anti virus program) to check again. Then run the 2 spy ware programs. I want to thank you guys for your help and suggestions.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Computer Advice	LegionPaulL	Hardware & Software Discussion	43	05-27-2004 10:20 AM

Sponsored links

Sponsored links

Sponsored links

Sponsored links