Adware, Hijacker Removal help

iepeulas · 12th May 2006

Hi Folks,

I've been having problems with my computer lately. I've tried AdAware, Seek and Destroy, and Ewido, but to no avail. I also tried searching the archives here; I tried a few things, but my comp is still acting funny.

The Symptoms:
When I do a google search, and click on a page, my browser will redirect to "netster", "buycamoflaugeclothingonline.com", "shopzilla.com", or some other random ad page. This probably happens 1/3 of the time I search. It sometimes happens when I type in a web address, but less often.

When I lauch IE, the "back", "forward","stop", "reload" etc. buttons don't appear. THis also happens about 1/3 of the time.

I'm running Windows 2000 on an old Toshiba Satellite Laptop.

Below is the latest log file from Hijack This!
***********************************
Logfile of HijackThis v1.99.1
Scan saved at 8:34:38 PM, on 5/11/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lee\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...44/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst56w.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

*************************************
Thanks for any help you all can render!

Cheers!

iepeulas · 12th May 2006

Update:

I ran ewido again and it found several instances of downloader.agent.uj

When I tried to clean it, I recieved an "error during cleaning" message.

**PeteC** · 12th May 2006

It is not immediately apparent from your HJT log what is causing these redirects so it may be necessary to try a number of solutions .....

Print out these instructions as you will need to restart your computer during this process.
Download FixWareout from here http://downloads.subratam.org/Fixwareout.exe and save it to your desktop.

Double click on fixwareout.exe to install - you will need to be connected to the Internet at the time. Follow the onscreen prompts - you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts and post a copy of the report text which opens (copy and paste into your next post.

Your home page, etc will be reset - you can change that later

Then scan with HijackThis and post the log here.

iepeulas · 13th May 2006

THanks for you assisstance, but I have already fixed the problem. I did some more searching and found that someone cured a similar problem with blacklight.

Blacklight found three suspicious processes, one was a windows process, but the other two were malicious. I renamed them, and my computer was magically normal again!!! Hooray! no malware here!