|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
browser hijacked!
My homepage keeps being redirected to some lame search page -
res://C:\WINNT\xagiv.dll/sp.html#37049 I downloaded Spybot, and it finds CoolWWWSearch, and I 'fix' it, but it doesn't go away. So I downloaded HiJack This, and here's the log I get. I also downloaded the CWShredder, and 'fixed' everything, but it's still there. Can this be fixed? Logfile of HijackThis v1.97.7 Scan saved at 6:25:34 PM, on 6/15/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Perle\Dialout\DOAUX.EXE C:\WINNT\system32\hidserv.exe C:\Program Files\Borland\InterBase\bin\ibguard.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\NALNTSRV.EXE C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\WINNT\System32\QCONSVC.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\systemhound\shservice.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\atlhy32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Borland\InterBase\bin\ibserver.EXE C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\dpmw32.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\WINNT\System32\cdplayer.exe C:\Program Files\Perle\Dialout\DOSRVRIP.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\WINNT\mspm.exe C:\WINNT\system32\ICO.EXE C:\WINNT\system32\Pelmiced.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Perle\Dialout\DOSRVC.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\WINNT\System32\MsiExec.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\PROGRA~1\WINTEG~1\wIntegSM.exe C:\PROGRA~1\WINTEG~1\wInteg.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\laurel1\Desktop\HijackThis.exe C:\Program Files\systemhound\shservice.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xagiv.dll/sp.html#37049 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {DAC7F0E5-7588-70C5-3BAC-24FC655B881E} - C:\WINNT\javaeb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray O4 - HKLM\..\Run: [DOSRVRIP] C:\Program Files\Perle\Dialout\DOSRVRIP.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" O4 - HKLM\..\Run: [mspm.exe] C:\WINNT\mspm.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Dial-Out Service Manager.lnk = C:\Program Files\Perle\Dialout\DOSRVC.EXE O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/acc...d/tgctlins.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E4} (ShowSetupObj4 Class) - http://invite.mshow.com/(eshcn045wvtthjn5uxhq4445)/ShowSetup4.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://suzuki/crystalreportviewers/a...ivexviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b2fd56acedf40...p/RdxIE601.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...d/IbmEgath.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-licious/TSWeb/msrdp.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...152.8827893519 O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://idsgrp.webex.com/client/late...ok/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = decisionsys.com |
#2
|
|||
|
|||
When you used CWShreader did you have your browser and other windows closed ?
|
#3
|
|||
|
|||
Yes, all browser windows were closed. I tried it again after reboot with no network connection, and rebooted, and now Spybot is running clean. And CWShredder shows nothing detected. But the home page redirect is still happening. I also went through my Add/Remove programs, and I see something new there called "Home Search Assistant". When I click on the change/remove button, it takes me to a blank webpage - http://t73.com/ Here's an updated Hijack log.
Logfile of HijackThis v1.97.7 Scan saved at 9:49:13 AM, on 6/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Perle\Dialout\DOAUX.EXE C:\WINNT\system32\hidserv.exe C:\Program Files\Borland\InterBase\bin\ibguard.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\NALNTSRV.EXE C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\WINNT\System32\QCONSVC.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\systemhound\shservice.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\atlhy32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Borland\InterBase\bin\ibserver.EXE C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\dpmw32.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\WINNT\System32\cdplayer.exe C:\Program Files\Perle\Dialout\DOSRVRIP.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\mspm.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Perle\Dialout\DOSRVC.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Webshots\WebshotsTray.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\WINNT\System32\MsiExec.exe C:\Documents and Settings\laurel1\Desktop\laureltest\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xagiv.dll/sp.html#37049 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {DAC7F0E5-7588-70C5-3BAC-24FC655B881E} - C:\WINNT\javaeb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray O4 - HKLM\..\Run: [DOSRVRIP] C:\Program Files\Perle\Dialout\DOSRVRIP.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" O4 - HKLM\..\Run: [mspm.exe] C:\WINNT\mspm.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Dial-Out Service Manager.lnk = C:\Program Files\Perle\Dialout\DOSRVC.EXE O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/acc...d/tgctlins.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E4} (ShowSetupObj4 Class) - http://invite.mshow.com/(eshcn045wvtthjn5uxhq4445)/ShowSetup4.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://suzuki/crystalreportviewers/a...ivexviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b2fd56acedf40...p/RdxIE601.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...d/IbmEgath.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-licious/TSWeb/msrdp.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...152.8827893519 O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://idsgrp.webex.com/client/late...ok/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = decisionsys.com |
#4
|
||||
|
||||
Rescan once again with hijack and put a check next to each of the following then close all browser windows and click "fix checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xagiv.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xagiv.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xagiv.dll/sp.html#37049 O2 - BHO: (no name) - {DAC7F0E5-7588-70C5-3BAC-24FC655B881E} - C:\WINNT\javaeb.dll O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray O4 - HKLM\..\Run: [mspm.exe] C:\WINNT\mspm.exe O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E4} (ShowSetupObj4 Class) - http://invite.mshow.com/(eshcn045wvtthjn5uxhq4445)/ShowSetup4.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b2fd56acedf40...p/RdxIE601.cab O O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://idsgrp.webex.com/client/late...ok/ieatgpc.cab Then reboot into safe mode and delete: C:\WINNT\mspm.exe Then reboot and post a fresh log please. |
#5
|
|||
|
|||
Well, I followed all instructions and have a new log file. I haven't shaken them off yet.
(btw - you all should qualify for sainthood or something for all the help you give poor souls like me) Logfile of HijackThis v1.97.7 Scan saved at 4:49:46 PM, on 6/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Perle\Dialout\DOAUX.EXE C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Borland\InterBase\bin\ibguard.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\NALNTSRV.EXE C:\WINNT\System32\QCONSVC.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\systemhound\shservice.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\atlhy32.exe C:\WINNT\system32\apitd.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Borland\InterBase\bin\ibserver.EXE C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\dpmw32.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\Program Files\Perle\Dialout\DOSRVRIP.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Perle\Dialout\DOSRVC.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Documents and Settings\laurel1\Desktop\laureltest\HijackThis.exe C:\Program Files\systemhound\shservice.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {90285149-6C96-49CF-B9F7-789C3F3A24BF} - C:\WINNT\system32\apitd.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DOSRVRIP] C:\Program Files\Perle\Dialout\DOSRVRIP.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" O4 - HKLM\..\Run: [apitd.exe] C:\WINNT\system32\apitd.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Dial-Out Service Manager.lnk = C:\Program Files\Perle\Dialout\DOSRVC.EXE O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/acc...d/tgctlins.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://suzuki/crystalreportviewers/a...ivexviewer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...d/IbmEgath.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-licious/TSWeb/msrdp.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...152.8827893519 O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = decisionsys.com |
#6
|
||||
|
||||
Rescan and check each of these then close all browser windows and click"fix checked"
O2 - BHO: (no name) - {90285149-6C96-49CF-B9F7-789C3F3A24BF} - C:\WINNT\system32\apitd.dll O4 - HKLM\..\Run: [apitd.exe] C:\WINNT\system32\apitd.exe O O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-licious/TSWeb/msrdp.cab then reboot your system into safe mode and delete: C:\WINNT\system32\apitd.exe C:\WINNT\atlhy32.exe |
#7
|
|||
|
|||
That just may have done it. I'm surfing with my fingers crossed, though (which is more difficult than it may sound.) Here's the hijack log after the latest. How's it look?
Logfile of HijackThis v1.97.7 Scan saved at 5:16:46 PM, on 6/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Perle\Dialout\DOAUX.EXE C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Borland\InterBase\bin\ibguard.EXE C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\NALNTSRV.EXE C:\WINNT\System32\QCONSVC.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\systemhound\shservice.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Borland\InterBase\bin\ibserver.EXE C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\dpmw32.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Perle\Dialout\DOSRVRIP.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Perle\Dialout\DOSRVC.EXE C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Documents and Settings\laurel1\Desktop\laureltest\HijackThis.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DOSRVRIP] C:\Program Files\Perle\Dialout\DOSRVRIP.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Dial-Out Service Manager.lnk = C:\Program Files\Perle\Dialout\DOSRVC.EXE O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/acc...d/tgctlins.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://suzuki/crystalreportviewers/a...ivexviewer.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...d/IbmEgath.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...152.8827893519 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = decisionsys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = decisionsys.com |
#8
|
||||
|
||||
That does look better...
|
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Hijacked Browser | peterm69 | Malware Removal | 5 | September 3rd, 2007 12:09 AM |
Browser Hijacked - Tried Everything!! | putt44 | Malware Removal | 3 | August 20th, 2004 03:33 AM |
Hijacked browser 2 | Mary Ann | Malware Removal | 1 | June 27th, 2004 04:10 AM |
Hijacked Browser | Quality-1 | Malware Removal | 9 | May 10th, 2004 06:16 AM |
help my browser is hijacked | e1h2 | Malware Removal | 3 | April 15th, 2004 12:46 AM |
All times are GMT +1. The time now is 09:35 PM.