hijacked by Noos site,pls help

[Hellokitty_123]

My computer has been hijacked, my Internet Explorer keeps going on this site called NOOS and the site is in French. Please help me how to get rid of it. I installed my Norton again but I can't get it to run Live updates but when it scanned it didnt't detect any viruses, I also installed Microsoft antispyware but its not doing anything. what can I do to get rid of it.

And after I get rid of it do I have to uninstall Windows XP and all the programs and start fresh?

[Mobo]

Get The latest version of Adaware
You can download the free version here:
[Only Registered and Activated Users Can See Links. Click Here To Register...]

or here (alternate download location)
[Only Registered and Activated Users Can See Links. Click Here To Register...]

You need to be logged on as Adminstrator through the installation.
For ease in installation and operation, view the tutorial here [Only Registered and Activated Users Can See Links. Click Here To Register...]

Just download it to your desktop and then to install click on the file you just downloaded (aawsepersonal.exe). You will be guided through the installation. It is recommended to use the default setting of "Protect anyone who uses this computer".

On the main screen of Adaware please look for the *check for updates now* link, just above the start button in the bottom right corner or you can click on the Webupdate button that looks like a globe icon at the top. Press * connect* to let it check for any recent updates. If any are found, please let it download and install them.

Now, configure your settings. Click the gear icon at the top. These are the recommended settings:

AAW SE settings

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

On your first scan, use the Full Scan (Perform full system scan) mode.

Let Adaware remove any *bad* objects found. Reboot your PC and scan again. Repeat this process until no more bad items are found. It may take several scans to clean everything, depending on the type of infections found.
________________________
Download Spybot - Search & Destroy, from here [Only Registered and Activated Users Can See Links. Click Here To Register...] if you haven't already got the program.
For ease in installation and operation you can opt to view the tutorial here [Only Registered and Activated Users Can See Links. Click Here To Register...]

Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.

Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
__________________________________________________ _________________
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

__________________
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin
____________________
If the system is millenium or xp

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore on all Drives.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
_______________________________
Download HijackThis from:

[Only Registered and Activated Users Can See Links. Click Here To Register...]

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

[Hellokitty_123]

I got the computer running again but I think I did something wrong, I installed Hijack This first then run it, then I deleted entries that are not familiar to me and it didnt' take out that Noos site on the IE so Then I tried to install lavasoft adware but its not taking me to the installing process where it asks you where to install it, so I installed Spybot Search and Destroy and it worked. I noticed that I didn't do the installing in order like you suggested so maybe I did something wrong. Now I want to clean the whole system should I follow the instructions from this forum [Only Registered and Activated Users Can See Links. Click Here To Register...]. Also I want to Uninstall my Windows XP before doing that do I have uninstall all my programs first and will everything will be wiped out already? Do I have to uninstall my drives as well?. I want to start everything fresh on my computer but I don't know how to go about it. When I bought it, it came with 40 GB and I installed a 120GB. When I bought this computer at Future Shop we had them program it and then they gave me Restore CD for Emachines, is that what I need to Reinstall Windows XP.

Also how do I find out how my computer got hijacked in the first place? Sorry for asking too many questions.And thank you for all the help [img]style_emoticons/<#EMO_DIR#>/unsure.gif[/img]

[Mobo]

I wouls suggest opening hijack, clicking scan / config / backups and then restore all.
Rescan and save the log then post it here for me to look at.

[Hellokitty_123]

Logfile of HijackThis v1.99.1
Scan saved at 10:56:28 AM, on 4/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Messenger\ycomp.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Messenger\ycomp.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "G:\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "G:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "G:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "G:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] G:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - G:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.shaw.ca
O16 - DPF: 6th Street Omaha Poker by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Aces Up! by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Arcsoft Web Uploader - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Big Shot Roulette TM by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Blackjack by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Chess by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Double Deuce Poker by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Fortune Bingo by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Harvest Mania by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Jokers Wild Poker by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Multiline Slots by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Phlinx by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Poppit by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Word Whomp by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: WordJong by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: World Class Solitaire by pogo - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Yahoo! Chat - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Yahoo! Pool 2 - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - Unknown owner - G:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown owner - G:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: fsbwsys - Unknown owner - G:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - G:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - G:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe (file missing)
O23 - Service: FSMA - Unknown owner - G:\Program Files\Shaw Secure\Common\FSMA32.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.ex e
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Mobo]

This is the only entry to be removed at this time:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

[Hellokitty_123]

thank u. Another question Do I still have to download anything else to try to clean my system?

[Mobo]

I would try a fresh download of adaware and in addition visit my spyware scanner pager here [Only Registered and Activated Users Can See Links. Click Here To Register...]


There are some great tips here as well that you should read [Only Registered and Activated Users Can See Links. Click Here To Register...]

[Hellokitty_123]

Quote:

Originally posted by Mobo@Apr 8 2005, 05:25 PM
I would try a fresh download of adaware and in addition visit my spyware scanner pager here [Only Registered and Activated Users Can See Links. Click Here To Register...]
There are some great tips here as well that you should read [Only Registered and Activated Users Can See Links. Click Here To Register...]
<div align="right">Quoted post</div>

Do I have to install all the spyware in the list?

[Mobo]

Rather here [Only Registered and Activated Users Can See Links. Click Here To Register...]