Old December 10th, 2004, 11:06 PM
mechnut mechnut is offline
New Member
Join Date: Dec 2004
Posts: 4
Angry Browser Hijacked/Spyware

I have been hijacked and cannot seem to find the culprit. I am hoping this is the correct place to post this. Below is a log from HijackThis:

ogfile of HijackThis v1.98.2
Scan saved at 2:13:32 PM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Art\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://inside.arb.ca.gov/index.htm"); (C:\Documents and Settings\Art\Application Data\Mozilla\Profiles\default\0yyw4xsi.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101029439718

Any help getting this stuff off my computer would be greatly appericated!
Old December 10th, 2004, 11:11 PM
I forgot to mention I have loaded and run both Spybot and Adaware as well as PC Doctor, all of these seem to find different spyware programs but none have nailed the offender. This started AFTER I mistakenly made Iwon.com my homepage. I have edited the reg key that lists iwon as the Main start page, low and behold once the regedit is closed it goes right back. If I change it under internet options it goes right back as well. I hope this helps. Thanks for looking at the file.
Old December 11th, 2004, 12:27 AM
I guess this was posted in the wrong place. I see that other posts like this were moved to cyber saftey. I have reposted this there in hopes of finding someone who can decifer it.Very fed up with this stuff,wondering about going back to MAC, never had this with them!
