Need Help with the Ads234 Hijack

Savestheday1703 · #1 (**permalink**) 08-09-2004, 10:25 PM

I've already read many threads about this Hijack and it's obvious that it's quite hard to remove. I've been noticing the Internet slow down for about a week, but only yesterday did I determine Ads234 to be the issue.

I ran Spybot, Ad-aware, and SpyDoctor. I also ran Hijack this, but I'm not sure how to post my log.

What do I have to click or change to save my log? I really need help with this, for some reason I can't connect to my hotmail account to check my E-mail or anything. This bug is really bothersome.

Any help would be so greatly appreciated! Thanks!

Chelsea

owen · #2 (**permalink**) 09-09-2004, 06:13 PM

Could you click the link in my signature which explains how to post a Hijack This log. Also download the latest version of Hijack This which is contained in that page, yours is out of date.

Savestheday1703 · #3 (**permalink**) 09-09-2004, 07:47 PM

Thanks!! Alright here's my log.

Logfile of HijackThis v1.98.2
Scan saved at 3:41:08 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\aimsgr.exe
C:\documents and settings\chels\local settings\temp\y3e1W.exe
C:\WINDOWS\System32\varpc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chels\Desktop\hijackthis.exe

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chels\Local Settings\Temp\QSmeMKh2.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio VSA] varpc32.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Visual Studio VSA] varpc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

owen · #4 (**permalink**) 09-09-2004, 08:15 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chels\Local Settings\Temp\QSmeMKh2.dll
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio VSA] varpc32.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Visual Studio VSA] varpc32.exe
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Go to C:\Documents and Settings\Chels\Local Settings\Temp\ and once in the folder click Edit> Select All and hit the delete key to get rid of the contents of the folder, but not the folder itself.

Delete the following files and folders:
C:\WINDOWS\System32\aimsgr.exe
C:\WINDOWS\System32\varpc32.exe
C:\Program Files\Web Offer
C:\WINDOWS\System32\mssaru.dll

Then reboot and post a fresh log

Savestheday1703 · #5 (**permalink**) 09-09-2004, 09:34 PM

Okay, did all that. Here's the new log. A couple of new things came up when I scanned with Hijack this.

Logfile of HijackThis v1.98.2
Scan saved at 5:30:58 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Chels\Desktop\hijackthis.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)

owen · #6 (**permalink**) 09-09-2004, 10:04 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)

Click Fix Checked

Reboot and post a fresh log

Savestheday1703 · #7 (**permalink**) 09-09-2004, 10:38 PM

Fresh log:

Logfile of HijackThis v1.98.2
Scan saved at 6:34:41 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Chels\Desktop\hijackthis.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

Another problem I've been experiencing which i thought would be fixed when Ads234 was removed (Because the problem started when Ads234 started to hijack my computer): I cannot access my Hotmail.com email account OR my AOL.com email account. It says that the "page cannot be displayed" when I log in. However, I created a Yahoo.com account about an hour ago just to check and see if ALL email logins weren't working, but the Yahoo.com account logged into the mailbox successfully. Any idea what might be causing this?

owen · #8 (**permalink**) 10-09-2004, 07:12 AM

Thats a clean log. I know that Hotmail use Secure Login so AOL might do as well.

Open Internet Explorer. Go to Tools> Internet Options

Click the Advanced Tab and scroll down to where it says Security.

Ensure that the following boxes are checked:
Use SSL 2.0
Use SSL 3.0

Click Apply, then click Ok. Give it another go

Savestheday1703 · #9 (**permalink**) 10-09-2004, 06:20 PM

Okay.. Bother SSL 2.0 and 3.0 were enabled already. I don't understand why this is happening?

owen · #10 (**permalink**) 10-09-2004, 06:31 PM

Start Internet Explorer.

Go to Tools> Internet Options.

Click the Programs tab and then at the bottom click Reset Web Settings

Then click the Advanced tab and at the bottom, click the Restore Defaults button.

Reboot and try Hotmail and AOL again.