Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijacked...Two Services I can't get rid of...Help 1

Status
Not open for further replies.
paychek

paychek

Technical User
Mar 11, 2002
5
0
0
US
I have tried running the newest spybot with the most updated pop up definitions, and also use Adaware 6.0(registered ver.) and I still have two ads that bring up ads at anytime during the day. When I am gaming, the ads pop up and take me from my game to my desktop to find another anoying popup. I have found the two pop up programs in the services tab. When I try to get rid of them in the services, they rename themselves and reappear. Any advice would be helpful. I just hope I don't have to re-format at this time.
Thanx
Mikey
 
Sort by date Sort by votes
download the program called "hijack this" and post the logfile it creates after you scan.

also, go to housecall.trendmicro.com and run a full scan of your C: drive. This program is good at getting rid of the trojans that keep reinfecting the system after rebooting.

then, run adaware and spybot again. dont run your browser at all until we can look at the hijack this log and determine what else may need to be removed.

lastly, when you ran ad-aware, if it listed VX2, download the VX2 cleaner plugin available for ad-aware, and run it as well.
 
Upvote 0 Downvote
all good advice...
I would shut off System Restore & do the scans in safe mode too
------------------------------------------------
AND;
Do not forget to turn System Restore on again... when done
 
Upvote 0 Downvote
Are you at SP2 level?

If not, update your system, or at least make sure the Messenger service is disabled and that you have Firewall protection.

Removing adware & spyware
faq608-4650

Removing adware & spyware
How to beat your advertising popups & other browser nasties
FAQ608-3482

Try surfing as a Limited User rather than an Administrator to prevent these types of attacks and alterations to your system.

Make sure your options in IE/ Tools/ Internet Options/ Advanced are correct.

Uncheck the boxes for "Install on Demand" for IE and Other programs (two boxes).



 
Upvote 0 Downvote
Here is a log of highjack this prog that I ran.

Logfile of HijackThis v1.98.2
Scan saved at 1:17:33 PM, on 11/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\GivLt51.exe
C:\WINDOWS\system32\QmtPCB55.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Mike\Local Settings\Temp\E5f.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [5XPAD68248ZCMK] C:\WINDOWS\system32\Dwy13U.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - O17 - HKLM\System\CCS\Services\Tcpip\..\{FB691391-45F3-47B9-9AB5-D3EA5786442B}: NameServer = 216.31.31.1,216.31.31.193

Thanx
Mikey
 
Upvote 0 Downvote
I noteiced you are using an older version of ad-aware. I would recommend downloading the latest (SE or personal) versions and rescanning- it has a better detection engine.

now for the hijack this log:

WARNING: removing these items ~might~ result in winsock corruption. you may want to download the winsock fix files from and have it available before removing any entries - that way you can get back online if the winsock does get corrupted.
<<<<<<<<<>>>>>>>>>>
run hijack this and remove these for sure:
C:\WINDOWS\system32\GivLt51.exe
C:\WINDOWS\system32\QmtPCB55.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Mike\Local Settings\Temp\E5f.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [5XPAD68248ZCMK] C:\WINDOWS\system32\Dwy13U.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - <<<<<<<<>>>>>>>>>
Suspicious-if you didnt install them or know what they are, i would remove these also:
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe –silent
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - <<<<<<<<>>>>>>>>
after removing all bad entries in HJT, reboot into safe mode, and if these files exist, manually delete: msbe.dll, mscb.dll, nvms.dll.

reboot again into normal mode, and follow the advice of the other posts above. delete all temp and temp internet files. check the "local settings\temp\" folder under your profile in "c:\documents and settings\(your username)" and delete anything suspicious such as "patch.exe" "windupdates.exe" etc.

rerun adaware 9new version), spybot, housecall, and hijack this. if you come up clean, you should be good to go.

it may not be a bad idea to delete some of your cookies, or at least ones with obvious advertising or malware URL's.

there may be some trace files left in the windows and system32 folders, but those require manual removal, and its dangerous if you remove the wrong things - so best leave that alone.

dont also forget to go to control panel->add/remove programs and remove any programs that have offers, rebates, and search bars in their name, or anything you know you didnt install and doesnt seem to belong there. DO NOT remove any windows update or hotfix files. if you get an error that the program isnt found, remove it from the programs list- answer yes.

lastly, be sure to use spybot's immunize feature after cleaning everything up, and make sure your all patched up w latest updates from microsoft.
 
Upvote 0 Downvote
You might also consider Spy Sweeper. It runs in real time and will notify you whenever identified malware arrives on your machine. It's a pretty good anti-malware app, although you will probably want to turn it off when you're gaming as it may cause some jerky movement. I use Spy Sweeper running in real time (except when gaming) and supplement it with SpyBotS&D and Ad-Aware about once a week. Their algorithms & definitions don't entirely overlap, so one may catch something that the others miss.

S
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
498
Flinx
Flinx
pjw001
  • Question
Latest Windows Update - End of Service
Replies
2
Views
458
pjw001
pjw001
goombawaho
  • Locked
  • Question
Risk of running unsupported server version 1
Replies
7
Views
192
goombawaho
goombawaho
johncp
  • Locked
  • Question
W10 Defender blocking installation of uTorrent
Replies
9
Views
341
mikrom
mikrom
Mike Lewis
  • Locked
  • Question
Using TASKKILL to close a bunch of EXEs
Replies
7
Views
282
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top