WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijacked by CoolWWWSearch

Started by Kingparrot , Nov 23 2005 06:38 PM

This topic is locked

36 replies to this topic

#16 little eagle

spyware hawk

Visiting Fellow
8,968 posts

Interests:spyware

Posted 15 December 2005 - 05:23 AM

PS. I noticed that the following two HijackThis files are still there even if I have removed them twice:

02 - BHO: (no name) ........ (no file)
016 - DPF: webiress.

You will need to disable spybot's teatimer. Instructions above.

Edited by little eagle, 15 December 2005 - 05:24 AM.

My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

Advertisements

Register to Remove

#17 Kingparrot

New Member

Authentic Member
18 posts

Posted 15 December 2005 - 07:45 PM

I disabled the Tea Timer in Spybot. I also disabled, Zonealarm, Spywareguard, and all other programs. Then I used HijackThis Fix it button. After restart, checking with HijackThis again the two items had disappeared. However, after power down, then they reappeared in HijackThis. Now what, thanks.

#18 little eagle

spyware hawk

Visiting Fellow
8,968 posts

Interests:spyware

Posted 15 December 2005 - 07:48 PM

Start Zonealarm

and post another log please.

My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#19 Kingparrot

New Member

Authentic Member
18 posts

Posted 15 December 2005 - 10:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 15:12:54, on 16-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page = http://www.bordernet.com.au
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) -

{DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic

Meter\NET Traffic Meter] "C:\Program Files\NET Traffic

Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program

Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk =

C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros.../v6/V5Controls/

en/x86/client/wuweb_site.cab?1132818435921
O17 -

HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4

F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service

(navapsvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown

owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe"

-service (file missing)

Here it is with Zonalarm and my other programs (VNC, Norton, SpywareGuard, Spybot, running as well as NetTrafficMeter. Did you mean that I should to have ZoneAlarm only running or is this OK?

#20 little eagle

spyware hawk

Visiting Fellow
8,968 posts

Interests:spyware

Posted 16 December 2005 - 04:38 AM

Open 3S (system security suite) Click the BHO tab Put a check mark by O2 - BHO: (no name) -{DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file) click delete checked. Diskmgr, Disk Cleanup or Cleanmgr to delete Download program files, Temp Files, Temporary Internet Files, empty the Recycle Bin, and Active X Controls aka Downloaded Program Files. Go To Start --> All Programs --> Accessories --> System Tools --> Disk CleanUp. Double Click on DiskCleanup and the wizard will check your hard drive for files to delete in the above areas. When it locates all the files, it will ask you what you want to delete. Put a check mark beside: Download program files, Temp Files, Temporary Internet Files, empty the Recycle Bin and click ok. Those folders will be safely emptied. reboot and post another log.

My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#21 Kingparrot

New Member

Authentic Member
18 posts

Posted 16 December 2005 - 06:36 AM

Logfile of HijackThis v1.99.1
Scan saved at 23:29:53, on 16-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page = http://www.bordernet.com.au
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) -

{DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic

Meter\NET Traffic Meter] "C:\Program Files\NET Traffic

Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program

Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk =

C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros.../v6/V5Controls/

en/x86/client/wuweb_site.cab?1132818435921
O17 -

HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4

F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 -

HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-98

36-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service

(navapsvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown

owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe"

-service (file missing)

Did the 3S and DiskCleanup in Safe mode.

Rebooted and did HijackThis in Normal mode, result is above and the buggers are still there.

Just wondering, are you doing this 25 hours a day, 8 days a week?

Cheers and thanks

#22 little eagle

spyware hawk

Visiting Fellow
8,968 posts

Interests:spyware

Posted 16 December 2005 - 06:46 AM

Just wondering, are you doing this 25 hours a day, 8 days a week?

Some times it seams like it.
Reboot in safe mode and fix them with hijackthis.

Also in notepad click format and make sure word wrap is unchecked. Before you post another log.
Have to go to work now

but I'll check on it when I get in.

My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#23 Kingparrot

New Member

Authentic Member
18 posts

Posted 16 December 2005 - 04:38 PM

Logfile of HijackThis v1.99.1
Scan saved at 09:23:42, on 17-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Did as you said and triple checked that only those two items were checked. Rebooted to normal, then rebooted again to Safe, run HighjackThis and saved the Notepad above. Them buggers are still there.

Also, noticed the following:

On the Desktop, the text underneath the icon My Computer has changed to little squares, same in Windows Explorer.

My normally two icon high Taskbar has reverted back to one icon high.

Cheers and thanks.

#24 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 16 December 2005 - 09:40 PM

Hello Kingparrot,
Littlle Eagle has been called in to work and he asked me to help with your log.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Once fix is completed in the all clear post!!

Enable Teatimer

Open Spybot
Click on Tools in bottom left hand corner.
Click on Resident.
Check Resident "TeaTimer" box.
Click on Allow change ONLY to popup box with:
Entry: SpybotSD Teatimer
Click on Mode, select Default mode
Close Spybot

We also need disable SpywareGuard, as it may interfere with some of our HijackThis fixes:

Right click the SpywareGuard icon in the System Tray at the bottom-right corner of the screen and open the program.
Then go to Menu, File, Exit.
Then confirm the program is closed.

Disable Edwido

From the system tray:
Right-click the system tray icon and uncheck real time protection.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O16 - DPF: webiress -

Close ALL windows and browsers except HijackThis and click "Fix checked"

Reboot in Normal Mode and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#25 Kingparrot

New Member

Authentic Member
18 posts

Posted 18 December 2005 - 01:11 AM

I am a little bit confused. After unchecking Resident TeaTimer in Spybot, disabling SpywareGuard and Ewido, should I then run HijackThis in Normal or Safe mode? Either way, after clicking Fix Checked in HijackThis, should I then follow your instructions below or after restar into Normal Modet? "Once fix is completed in the all clear post!! Enable Teatimer Open Spybot Click on Tools in bottom left hand corner. Click on Resident. Check Resident "TeaTimer" box. Click on Allow change ONLY to popup box with: Entry: SpybotSD Teatimer Click on Mode, select Default mode Close Spybot" I am not sure what you mean with "Once fix is completed in the all clear post!!" Anyway, after I clicked Fix Checked in HijackThis I then tried to follow above instructions. I checked the Resident TeaTimer box: there was no popup nor can I find any "Allow change" key or button or Mode choice. I rechecked with HijackThia after restart, and the two items are still there. I must be missing something..... Thanks again

Advertisements

Register to Remove

#26 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 18 December 2005 - 07:46 AM

Post a new HJT log from Normal Mode please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#27 Kingparrot

New Member

Authentic Member
18 posts

Posted 18 December 2005 - 03:32 PM

Logfile of HijackThis v1.99.1
Scan saved at 08:30:24, on 19-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Here it is, and thanks.

#28 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 18 December 2005 - 03:39 PM

These show me that both are still running. O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts You can reenable TeaTimer once your system is clean. We also need disable SpywareGuard, as it may interfere with some of our HijackThis fixes: Right click the SpywareGuard icon in the System Tray at the bottom-right corner of the screen and open the program. Then go to Menu, File, Exit. Then confirm the program is closed. Now post a new HJT log without rebooting and we'll see if they are disabled.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#29 Kingparrot

New Member

Authentic Member
18 posts

Posted 19 December 2005 - 05:13 AM

Logfile of HijackThis v1.99.1
Scan saved at 21:51:43, on 19-Dec-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bordernet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bordernet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bordernet.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.16.7.5:9877
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCDF80B6-C388-AE90-E5A2-66EDD4482F41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C:\Program Files\NET Traffic Meter\NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: webiress -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132818435921
O17 - HKLM\System\CCS\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{17CE17AC-2BBD-4BD6-A4F1-13899E9BF0F1}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O17 - HKLM\System\CS2\Services\Tcpip\..\{05004CF8-826F-48BC-9836-1CF23548D08A}: NameServer = 61.88.88.88,192.65.91.129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

I did as you said re TeaTimer and checked after that with HijackThis. It did not work (checked with Hijack, TeaTimer still there). Then In Spybot/Mode I ticked Default Mode and after that Advanced Mode and did the same thing: 04 - HKCU TeaTimer.exe had disappeared.

I did as instructed for the SpywareGuard but checking with Hijack it is still there.

Now what, and thanks.

#30 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 19 December 2005 - 05:57 PM

How is the computer running? Any problems?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme