Hijack Removal

Hijacker

I have done the following to try to get rid of this hijacker & it still is coming up.

Any suggestions?

First put HJT into it's own folder, you wouldn't want to lose the backups HJT makes if you make a mistake. Remove these with all browsers closed and Windows Explorer windows, such as My Documents, Control Panel etc, closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [svih] C:\WINDOWS\svih.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe "
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=103&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=103&q=
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/opnste/UCSearch.CAB

Reboot and delete these folders and their contents.
C:\spe
C:\Program Files\Hotbar
C:\Program Files\WildTangent
C:\Program Files\Open Site
and this file.
C:\WINDOWS\svih.exe
It may be a Hidden file, and the C:\Spe folder may not exist.

Then go into Internet Options, under the Programs tab, click on Reset Web Settings.

 

Post a whole log please, provided it is the most curent version and in a folder other than a temp

 

I have tried everything to remove this & no luck. This is what I have done.

It would have been better to start your own thread, and get a better range of advice from others. So normally I do not do this in a PM.

First put HJT into it's own folder, you wouldn't want to lose the backups HJT makes if you make a mistake. Remove these with all browsers closed and Windows Explorer windows, such as My Documents, Control Panel etc, closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [svih] C:\WINDOWS\svih.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe "
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=103&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=103&q=
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/opnste/UCSearch.CAB

Reboot and delete these folders and their contents.
C:\spe
C:\Program Files\Hotbar
C:\Program Files\WildTangent
C:\Program Files\Open Site
and this file.
C:\WINDOWS\svih.exe
It may be a Hidden file, and the C:\Spe folder may not exist.

Then go into Internet Options, under the Programs tab, click on Reset Web Settings.



Here is my latest hijack logfile after doing the above:
Logfile of HijackThis v1.98.2
Scan saved at 9:15:04 PM, on 10/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Free Surfer\fs20.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe
C:\PROGRA~1\HITWAR~1\HITWAR~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\BEVERL~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=103&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe "
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HitwarePKLite] C:\PROGRA~1\HITWAR~1\HITWAR~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Corel Network monitor worker - {E6DE40C2-B9F8-4515-9784-6773100D27FA} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E6DE40C2-B9F8-4515-9784-6773100D27FA} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {E6DE40C2-B9F8-4515-9784-6773100D27FA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E6DE40C2-B9F8-4515-9784-6773100D27FA} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=103&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=103&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=103&q=
O16 - DPF: {5CE92A27-9F6A-11D2-9D3D-000001155641} (DVS Control) - http://eurotechcomputers.com/dvc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.1.0.9.14.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

Hi

Please use the addreply button not start new topic

Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder. and post a new log.
http://radiosplace.com/
This is necessary to ensure you have backups should anything go wrong

 

twty2, you do not seem to understand the HJT does not work very well when it is run from the zipped file. The evidence of this is here. It needs to be in it's own folder, and it does warn you about this.
C:\DOCUME~1\BEVERL~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
Your hijackers were not removed properly because of this. We'll need a new log to work with.