Member Avatar for Ron Wolpa

Hi
I am quite fed up with spyware , this time : http://prosearching.com/searchbar.html
(Id wish to have a valid email to call a bit of names to such [Moderator's edit: Please keep it clean, we ask that our members not use profanity in these forums- thanks]


is there any safe tutorial on how to get rid of IE hijacking (cwshredder has got 2 links where there are explanations on how to uninstall java virtual machine and others items which allow hijacking )

In this meantime , perhaps any of you could assist me to clear my system out of this rubbish (what the h e l l is that : C:\ARQUIVOS DE PROGRAMAS\MIX MAIL LOVE\POLLBAIT.EXE)


Here youve got the Logfile :


HijackThis v1.97.7
Scan saved at 1:00:59, on 23/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
D:\12GHOSTS\12SRVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\ADMUNCHER\ADMUNCH.EXE
C:\ARQUIVOS DE PROGRAMAS\MIX MAIL LOVE\POLLBAIT.EXE
C:\ARQUIVOS DE PROGRAMAS\MYVITALAGENT8\VITALAGENT\PROGRAM\VTLAGENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
D:\CHATBROWSER4.0\CB_4001.EXE
C:\ARQUIVOS DE PROGRAMAS\SYSAI\SYSAI.EXE
D:\!DOWNLOAD\!_HIJACK_CLEAN\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Multi Media Marketing
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://home.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ACROBATREADER\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - D:\12Ghosts\12popup.dll
O2 - BHO: (no name) - {904071B0-0D97-86B7-E2E8-38105E672165} - C:\ARQUIVOS DE PROGRAMAS\SOFTWARE 2 LONG\SEEK64.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\ARQUIVOS DE PROGRAMAS\SYSAI\APROPOSPLUGIN.DLL
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - D:\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ad Muncher] D:\ADMUNCHER\ADMUNCH.EXE /bt
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"
O4 - HKLM\..\Run: [Flaw Dog] C:\ARQUIV~1\MIXMAI~1\Pollbait.exe
O4 - HKLM\..\RunServices: [12Ghosts TrayProtect] D:\12GHOSTS\12srvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: MyVitalAgent.lnk = C:\Arquivos de programas\myvitalagent8\VitalAgent\Program\VtlAgent.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - D:\Arquivos de programas\getright502\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Arquivos de programas\getright502\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ComVC (HKCU)
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O19 - User stylesheet: C:\WINDOWS\color.css

  • 3 Contributors
  • 4 Replies
  • 148 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 4 Replies

Member Avatar for Dani

I'm moving this to our one-day old Security forum :) for all your hijacking needs ;)

Member Avatar for crunchie

Hi. :) Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

O2 - BHO: (no name) - {904071B0-0D97-86B7-E2E8-38105E672165} - C:\ARQUIVOS DE PROGRAMAS\SOFTWARE 2 LONG\SEEK64.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\ARQUIVOS DE PROGRAMAS\SYSAI\APROPOSPLUGIN.DLL

O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"

Reboot into safe mode following the instructions here & navigate to & delete

C:\ARQUIVOS DE PROGRAMAS\SYSAI< this one
C:\ARQUIVOS DE PROGRAMAS\SOFTWARE 2 LONG< this one
C:\WINDOWS\TEMP< entire contents of folder

Reboot normally & you should be good.

Member Avatar for crunchie

Also remove this with hijack this & remove the folder whilst in safe mode too.

O4 - HKLM\..\Run: [Flaw Dog] C:\ARQUIV~1\MIXMAI~1\Pollbait.exe

C:\ARQUIV~1\MIXMAI~1< this one in safe mode.

Member Avatar for crunchie

A few tips to stay relatively clean.

Download & instal Adaware from here
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Check out the "So how did I get infected to start with..." thread here

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.