PDA

View Full Version : Hijacked and Spybot is not helping



velfaires
2006-02-20, 17:48
I've been hijacked by some malicious popup hack that seems to avoid Ad-aware, Spybot, Norton Antivirus and WindowUpdate. I've tried everything in the book and can't seem to make it stop. Every minute or so, I get a popup, even with Google Popup blocker and Spyware Blaster installed !

The only thing I've noticed in my task manager is that rundll32.exe is running when it shouldn't be. I've also noticed that these websites continually popup

ecommerc-e.com
wxx.mediapurchases.co:confused:
wxx.realcoupon-s.com
Disabled urls. - tashi
popunder.paypopup.com
zestyfind.com
browserbuy-out.com
uniqueoffer-s.com
bigdiscountbuy.com
onlineshopp-ing.com
health-yshopping.com
1dealiotoday.com
onlineshopp-ing.com
inter-netsuggestions.com
intern-etadvertising.com
hug-ediscounts.com
z404.com
realcoupon-s.com

A search Online has led me to believe 7adpower is to blame but after following Symantec's removal guide, it still continues. Most registry keys listed under this help section, did not exist, maybe the malicious program has changed : http://www.symantec.com/avcenter/venc/data/dialer.7adpower.html


Do you notice anything I can fix in my registry? Thanks so much in advanced... I'm so frustrated...




Logfile of HijackThis v1.97.7
Scan saved at 12:44:13 AM, on 2/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\imejpmgr.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe

F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Aki Hayase\Application Data\Mozilla\Profiles\default\muj29kl8.slt\prefs.js)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Xm] C:\WINNT\mggyc.exe
O4 - HKLM\..\Run: [Xt゚] C:\WINNT\mggyc.exe
O4 - HKLM\..\Run: [Xv-] C:\WINNT\mggyc.exe
O4 - HKLM\..\Run: [Printers] C:\WINNT\system32\spoolsv.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: PollSt_0.txt
O4 - Startup: .plugin140_03.trace
O4 - Startup: LuResult.txt
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint ?? - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint ???? - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint ????? - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint ???????? - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint プレビュー - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint 印刷 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint 印刷リストに追加 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint 高速印刷 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

tashi
2006-02-20, 18:29
Hello.
Did you see here: Before you post a log (http://forums.spybot.info/showthread.php?t=288)

You need to download an up to date version of HJT from the links there and post the results of that. ( HijackThis v1.97.7 is very old)

Then a helper will assist you when available.

tashi
2006-02-25, 20:22
Due to lack of a response this topic will be archived.