browser hijacked?

Computing.Net > Forums > Security and Virus > browser hijacked?

Original Message

Name: woods
Date: January 4, 2006 at 09:25:24 Pacific
Subject: browser hijacked?
OS: Windows XP home SP2
CPU/Ram: 768

Comment:

when i turn on internet explorer, i get www.securitycaution.com comming up instead of my regular homepage. I have used spycatcher, adaware, antispy and cwshredder, and nothing has worked.

Report Offensive Message For Removal

Response Number 1

Name: Zenith
Date: January 4, 2006 at 13:19:10 Pacific
Subject: browser hijacked?

Reply: (edit)

Have you tried HiJackThis! ? It will shoe you BHOs (Browser Hijack Objects) and more.
HiJackThis!

WILL POST FOR FOOD.

Report Offensive Follow Up For Removal

Response Number 2

Name: jabuck
Date: January 4, 2006 at 15:13:25 Pacific
Subject: browser hijacked?

Reply: (edit)

Or if you want to, post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor (comment box) at this forum.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
To get HT into it's own folder go to start>my computer>local disk(c:)>File>New>Folder> a new folder will appear with the name box highlighted>type "HJT" without the quotes(or ever what you want to name it) then click a blank spot on the screen.
Download HT,in the file download box click "save", then in the "save in" box click the drop down arrow to the right of the box>click local disk(c:)>click the HJT folder you created >click save. Once it downloads close the window.
Go to start>my computer>local disk (c:)>double click the HJT folder>double click the HJT.zip file>click the HT folder that was extracted. Run Hijack This.

Report Offensive Follow Up For Removal

Response Number 3

Name: woods
Date: January 4, 2006 at 21:38:16 Pacific
Subject: browser hijacked?

Reply: (edit)

Logfile of HijackThis v1.97.7
Scan saved at 10:20:42 AM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Anvshell.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kellys\Local Settings\Temporary Internet Files\Content.IE5\05MRO1S3\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/
R3 - URLSearchHook: (no name) - {F57F6078-8C05-54D6-6B3E-8F5E8D45CCEE} - lpt.dll (file missing)
O2 - BHO: (no name) - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp11E6.tmp
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iehelper] StatusCheck.exe
O4 - HKLM\..\Run: [ExchangeMaster] sbin.exe
O4 - HKLM\..\Run: [dmbhk.exe] C:\WINDOWS\system32\dmbhk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [killall] Serviceprocess.exe
O4 - HKCU\..\Run: [keybdll] SysEntry.exe
O4 - HKCU\..\Run: [WTFCTF] SpyElim.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134093885328
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{562C16EE-6489-4583-ADAD-4E9A2C4AF9C1}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1D8774-F78E-4BDB-B773-9CDDEE45CDFD}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{932D1C41-DC63-409C-9EFA-07FA3F0273D2}: NameServer = 85.255.116.166,85.255.112.224

Report Offensive Follow Up For Removal

Response Number 4

Name: Abnormal
Date: January 4, 2006 at 22:25:29 Pacific
Subject: browser hijacked?

Reply: (edit)

Until Jabuck gets back to you.
Please download HijackThis Self-installer
http://www.thespykiller.co.uk/files/HJTsetup.exe
1. This is the easiest way to install HijackThis to your computer
2. This is a complete installer that installs HijackThis on the computer to C:\Program Files\HijackThis.
3. It makes an entry in the start menu
4. It allows you to have a shortcut on your desktop as well.
5. HijackThis is currently at Version 1.99.1 released on 16.02.2005.
6. It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Courtesy of the www.thespykiller.co.uk/

Report Offensive Follow Up For Removal

Response Number 5

Name: woods
Date: January 5, 2006 at 09:48:48 Pacific
Subject: browser hijacked?

Reply: (edit)

Logfile of HijackThis v1.99.1
Scan saved at 10:40:50 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Anvshell.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {F57F6078-8C05-54D6-6B3E-8F5E8D45CCEE} - lpt.dll (file missing)
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp11E6.tmp
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iehelper] StatusCheck.exe
O4 - HKLM\..\Run: [ExchangeMaster] sbin.exe
O4 - HKLM\..\Run: [dmbhk.exe] C:\WINDOWS\system32\dmbhk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [killall] Serviceprocess.exe
O4 - HKCU\..\Run: [keybdll] SysEntry.exe
O4 - HKCU\..\Run: [WTFCTF] SpyElim.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134093885328
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{562C16EE-6489-4583-ADAD-4E9A2C4AF9C1}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1D8774-F78E-4BDB-B773-9CDDEE45CDFD}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{932D1C41-DC63-409C-9EFA-07FA3F0273D2}: NameServer = 85.255.116.166,85.255.112.224
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Report Offensive Follow Up For Removal


Browser Hijack? what is a browser hijack attempt? Browser Hijack? never ending browser hijack Browser hijack	Browser Hijacker Possible Browser Hijack attempt... Browser Hijack? Browser Hijack attempt? browser hijack

Response Number 6

Name: jabuck
Date: January 5, 2006 at 19:05:58 Pacific
Subject: browser hijacked?

Reply: (edit)

First go to start>control panel>add/remove programs>look for UnSpyPC and uninstall if found.
Please download Fixwareout from this link
http://swandog46.geekstogo.com/Fixwareout.exe
or
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop don't run it yet
Please download kilbox from this link Killbox to you desktop don't run it yet
Please ccleaner a temp file cleanup tool from this link http://www.ccleaner.com/ccdownload.asp to your desktop don't run it yet.
Download smitremfix from this link
http://noahdfear.geekstogo.com/ to your desktop.Open the file and it will extract itself to a new folder called SmitRem.don't run it yet
Download Ewido Security Suite then set it up this way Ewido Setup Instructions don't run it yet
Once everything is downloaded click on fixwareout to run it. Click next, then Install, then make sure "Run fixit" is checked and click finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.A copy of the log is located at C:\fixwareout\report.txt
When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Place a check to the left of the following items and press “fix checked”:
R3 - URLSearchHook: (no name) - {F57F6078-8C05-54D6-6B3E-8F5E8D45CCEE} - lpt.dll (file missing)
O4 - HKLM\..\Run: [iehelper] StatusCheck.exe
O4 - HKLM\..\Run: [ExchangeMaster] sbin.exe
O4 - HKLM\..\Run: [dmbhk.exe] C:\WINDOWS\system32\dmbhk.exe
O4 - HKLM\..\Run: [dmbhk.exe] C:\WINDOWS\system32\dmbhk.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [killall] Serviceprocess.exe
O4 - HKCU\..\Run: [keybdll] SysEntry.exe
O4 - HKCU\..\Run: [WTFCTF] SpyElim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{562C16EE-6489-4583-ADAD-4E9A2C4AF9C1}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1D8774-F78E-4BDB-B773-9CDDEE45CDFD}: NameServer = 85.255.116.166,85.255.112.224
O17 - HKLM\System\CCS\Services\Tcpip\..\{932D1C41-DC63-409C-9EFA-07FA3F0273D2}: NameServer = 85.255.116.166,85.255.112.224
Try to access the internet If you have a connection problem after removing the 017's do this:

Go to Start > Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Now reboot into safe mode with the directions here then open the SmitRem folder. Find the RunThis.bat and click it. Make sure all other open windows and programs are closed. If you haven't done this, then the program will remind you.Follow the onscreen direction and let smitremfix run, then disk clean will run(take a few minutes.
While still in safe mode run Ewido and when the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.
While still in safe mode run ccleaner
Please reboot into normal mode and post the ewido log the fixwareout log and a HT log we will still have some work to do..

Report Offensive Follow Up For Removal

Response Number 7

Name: woods
Date: January 5, 2006 at 22:37:36 Pacific
Subject: browser hijacked?

Reply: (edit)

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSBHS.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Report Offensive Follow Up For Removal

Response Number 8

Name: woods
Date: January 5, 2006 at 23:10:47 Pacific
Subject: browser hijacked?

Reply: (edit)

ewido anti-malware - Scan report

+ Created on: 12:03:24 AM, 1/6/2006
+ Report-Checksum: A410EC3B
+ Scan result:
C:\Documents and Settings\kellys\Cookies\kellys@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\WINDOWS\system32\csbhs.exe -> Downloader.Agent.uj : Cleaned with backup

::Report End
Logfile of HijackThis v1.99.1
Scan saved at 12:10:40 AM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134093885328
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: January 6, 2006 at 04:04:27 Pacific
Subject: browser hijacked?

Reply: (edit)

Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.
C:\WINDOWS\SYSTEM32\CSBHS.EXE

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Run fixwareout again, then run ewido from safe mode, then post those two logs.

Report Offensive Follow Up For Removal

Response Number 10

Name: woods
Date: January 6, 2006 at 10:01:49 Pacific
Subject: browser hijacked?

Reply: (edit)

Killbox says the file doesnt exist

Report Offensive Follow Up For Removal

Response Number 11

Name: woods
Date: January 6, 2006 at 10:19:05 Pacific
Subject: browser hijacked?

Reply: (edit)

----------------------
ewido anti-malware - Scan report

+ Created on: 11:16:46 AM, 1/6/2006
+ Report-Checksum: 66F916B3
+ Scan result:
C:\Documents and Settings\kellys\Cookies\kellys@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\kellys\Cookies\kellys@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

::Report End

Report Offensive Follow Up For Removal

Response Number 12

Name: woods
Date: January 6, 2006 at 10:52:03 Pacific
Subject: browser hijacked?

Reply: (edit)

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: January 6, 2006 at 15:22:13 Pacific
Subject: browser hijacked?

Reply: (edit)

Yea kill box says that sometimes but you have to go through the process because it will kill the files. From viewing the logs you look clean. You can run Ht again and look for the 017's but I think you got'em.

Report Offensive Follow Up For Removal

Response Number 14

Name: woods
Date: January 6, 2006 at 22:21:44 Pacific
Subject: browser hijacked?

Reply: (edit)

no 017's. thanks a lot for your help!

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: January 7, 2006 at 08:38:05 Pacific
Subject: browser hijacked?

Reply: (edit)

Good, glad we could help woods.
For instructions on how to purge system restore click Here
To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer.
Do a google search for "spywareblaster", download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer.

Report Offensive Follow Up For Removal

Page not Found

my laptop shuts down cons...

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: browser hijacked?

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

How often do you use Computing.Net?

Poll Finishes In 2 Days.
Discuss in The Lounge

date format in ksh

Windows crashes $ Please Help $

Win32.agent.cnm virus

sata kills os responce.

Logging users and computers

All Posts Awaiting Replies