PDA

View Full Version : myspywarecleaner.com



incijalu
2005-11-09, 14:52
when I open internet explorer it opens (in the uppermost blue aert of IE) with

http://www.google.com.au (my home page)very briefly then changes to
http://www.httpwww.mspyc.hop.clickbank.net/rehop
then
http://www.myspywarecleaner.com/sc/?hop=httpwww
which also loads into the address bar and redirects my home page to an ad for myspywarecleaner ( google was changed to http://www.google.com.au./.com in the home page address bar - I deleted the 2nd /.com and this seems to have got me back to google as my home page though I'm not convinced that alone is enough to have got rid of the problem!
have run spybot but it doesn't seem to have got rid of it - tried to update spybot unsuccessfully a couple of times but get !!!badchecksum! is it likely that this hijacker could be blocking spybot? - Not sure where it came from - 3 teenagers also use this pc and despite antivirus (AVAST) windows firewall adaware still got this one - most likely with a download of some sort. Any Idea's on how to get rid of it and could it be specifically targetting spybot to prevent me from updating?
Spybot reports nothing found I've just installed spybot 1.4 from a demo cd which updated ok but reports nothing found

I'm running recently installed (week or 2 ago)Windows XP service pack 2 automatic updates activated (formatted and reinstalled OS after replacing MB and CPU needed to re -authenticate windows)- this only appeared a few days ago

running bitdefender now as I'm typing this which has so far identified (and deleted)
Tojan clicker
exploit win 32 MS
application browser hijacker Nav excel search toolbar
then seemed to hang displaying "update failed"
so will probably have to start it again ,then will try the other on - line scans suggested. I have an extremely slow dial up connection 28kbs - yes we are truly backwards out here in parts of Australia -and believe it or not we're only about 50 miles from the centre of Melbourne and this is the best we can get!
Thought I'd be a bit cheeky and post this in the meanwhile -hope nobody minds - I may have died of old age before I manage to go through the rest of the scans! following is the hijack this logfile
Cheers

Logfile of HijackThis v1.99.1
Scan saved at 9:54:13 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\freeware\antispyware\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [FusionTrayAgent] C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
O4 - HKLM\..\Run: [FusionRemote] C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O15 - Trusted Zone: http://cache.ysbweb.com
O15 - Trusted Zone: http://www.ysbweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131027131156
O17 - HKLM\System\CCS\Services\Tcpip\..\{40D6E775-9427-41BA-82D6-9EDC0B973748}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

LonnyRJones
2005-11-09, 18:33
Hi incijalu

Have hijackthis fix these items
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O15 - Trusted Zone: -http://www.lyricshosting.com (http://www.lyricshosting.com)
O15 - Trusted Zone: -http://cache.ysbweb.com (http://cache.ysbweb.com)
O15 - Trusted Zone: -http://www.ysbweb.com (http://www.ysbweb.com)
========
Other than that is liiks good

Have the symtoms you mentioned returned ? any pother odd goings on ?

incijalu
2005-11-09, 22:59
Hi LonnyRJones
Thanks for your help symptoms - don't seem to have returned and nothing else odd appears to be going on (so far any way!) I've had hijack this fix the items you suggested and will continue running a few other online virus scans -I missed the extra ./com that had added itself to http://wwwgoogle.com.au initially I think, so browser "hijacking" was not as persistant as I first thought
Was concerned that some "nasty" was actually targetting spybot to prevent it from updating but if it was it doesn't seem to have worked with 1.4
Thanks again

LonnyRJones
2005-11-10, 02:40
Good

The badchecksum problem is seen here quit a bit. when that happens simply choose another server http://www.safer-networking.org/en/faq/20.html


Regards

LonnyRJones
2005-11-17, 10:36
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC send a message to someone on the Net-Integration staff with a link to this thread.