Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have spent a lot of time on my PC to regain control of my browser which apparently has been seriously hijacked; no progress yet!!
Symptoms are indicating to adware.magicads.
I have followed the instructions on the message:
http://www.computing.net/security/wwwboard/forum/7187.htmlBut the problem still persists.
My latest log from HijackThis is as below:Logfile of HijackThis v1.97.7
Scan saved at 20:18:16, on 25/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\iedll.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis spyware finding tool\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://approvedlinks.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://approvedlinks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O1 - Hosts: 66.40.16.131 www.livesexlist.com
O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com
O1 - Hosts: 66.40.16.131 www.thumbnailpost.com
O1 - Hosts: 66.40.16.131 www.adult-series.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD Architectural 2\AcDcToday.ocx
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Architectural 2\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Architectural 2\AcPreview.ocx
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing) (HKLM)
The registry values such as ‘approvedlinks’ and the ones referring to IP: 66.40.16.131 which I had deleted before are back after reboot! The homepage of the internet explorer is set on the http://approvedlinks.com/sp.htm and it can not be changed from the Internet Options! Ad-watch from Ad-aware shows that there is at least one attempt to modify the registry after startup.
The above symptoms make me suspicious on one of the running processes:
C:\WINDOWS\System32\Ati2evxx.exeBut I’m not sure. It could be related to my ATI graphics driver since it is very similar to:
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeI see some guys here have a lot of experience with this kind of thing. Would you please help me sort this out? I appreciate if you include some explanations with your solutions as well so that I can understand what I’m doing.
Thanks a lotPositron
You have some other problems and I am much better at fixing these things when I am in front of them. You do have other problems what are quite obvious to me. I just cannot find any good information to inform you of how to deal with them.
Either wait for Tom41 or some of the others that are pretty good at informing how to fix your other problems. Tom41 eats viruses for breakfast and has become the resident virus,trojan and worm guru. He can also read a Hijackthis log in his sleep so I have heard :)
KTTD
0 
This line is a problem:
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
See this link:
http://www.safersite.com/PestInfo/i/iedll_tooncomics.asp
As mentioned above CWShredder should take care of a lot of them, make sure you follow the instructions regarding System Restore or they'll come back
hth
shep
0
Check it out, a rookie slides in with an answer :) LOL!!!!
Sorry Shep, I could not resist.
Hope you are feeling better.
KTTD
0
"I appreciate if you include some explanations with your solutions as well so that I can understand what I’m doing."
The CoolWebSearch Chronicles
The story of a thousand hijacksDid your problem happen on an updated system?
Post another log after you run the tool.
Abnormal
0
Following the advices I have been able to solve the problem. Just to let everybody know the problem was definitely the Downloader.Tooncom. The manual solutions from Symantec and Pest Patrol can not completely take care of the problem and the only comprehensive solution is apparently the CWShredder which was provided in The CoolWebSearch Chronicles.(This guy is amazing!)
Many thanks to everybody who has helped me to solve the hijack; especially Abnormal who had appreciated my question. The only remaining concern is a file on my C root under the name of mads.exe which I think it might have been relevant to the problem. Any ideas if I can safely delete it?
0
Found some info, hope it tells you a little more. I just found your message in my computing net.
http://forum.misec.net/board/Trojans/1062319116
abnormal
0
Thanks for your attention.
Well, I had read this page before, there is a lot of information on this tread but they have not given the verdict. The only thing which is kind of tempting is try to decode the EXE with a HEX editor. Anyway I have sent an email to the author of the CWShredder to get his opinion as well.
Let's see what happens...
0  |
 AVG update
|
Spybot found H@ttkeysh@@k...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
