Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I need help with a hijacker problem. I think.
When I search on Netscape it returns the results. When I click on a link - instead of showing the web address in the URL box - it shows a boompage.jsp link. I have no idea what this is or how to get rid of it.I downloaded Ad-aware 6.0 and Spyware blaster and spybot S&D and ran them all. They found bunches of stuff but it did not solve my problem.
I downloaded hijack this and it also found a bunch of stuff. I deleted some stuff that had the name "spybotpro" in the listing. That still did not fix the problem.
I am including my hijack this log so maybe somebody can point out where the problem is.
Logfile of HijackThis v1.97.7
Scan saved at 6:55:46 AM, on 12/22/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\AT&T Global Network Client\NetClient.exe
C:\Program Files\AT&T Global Network Client\ARUpld32.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\ZIP7\0\0\HIJACK~1.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wfu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.wfu.edu"); (C:\Program Files\Netscape\Users\Internet.usinet.jblaffe\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - c:\windows\WindowsIE.dll
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.exe -uninstall
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.exe C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\RunOnce: [NetSP - restore database] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.290787037
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4290/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1565A8-3127-440F-AEEA-1B63989A2C0D}: NameServer = 165.87.13.129 165.87.201.244Thank you
JohnnyB
Johnny,
Look in your startup programs and see if you have any reference to Alset\HelpExpress, if so remove from startup, reboot and:
Close all browser windows except HT and put checks in the following and have the program fix:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - c:\windows\WindowsIE.dll
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Owner\HXIUL.exe -uninstall
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1565A8-3127-440F-AEEA-1B63989A2C0D}: NameServer = 165.87.13.129 165.87.201.244Then:
Find and delete
C:\Program Files\Common files\updater\wupdater.exeReboot
hth
shep
0 
good job.
shep, do you mind if I ask was there something suss about the 017 from your research-it looked ok at first glance...
happy to be corrected as always...
Ice
0
iceblue,
Pulled the trigger to soon on that 017.
It is an ATT&T domain, as is his service.
I stand corrected, and embarrassedJohnny if you are there.....
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C1565A8-3127-440F-AEEA-1B63989A2C0D}: NameServer = 165.87.13.129 165.87.201.244
Can be restored thru Config>Backup on the HT console if need be.
shep
0
no worries
been there done that many times - it makes us better for it.
(never makes us feel any better though :(
the client gets the good advice - thats all that counts...ciao. well done.
0
shep,
you may be interested in this link,
http://forums.tomcoyote.org/index.php?showtopic=1421 let me know if its still active; I can recommend you to have a look;
its a very informative site......
Iceiceblue
0
Thanks for the link, looks like it could be educational. Probably give it a go if I can overcome my aversion to the classroom concept. Bad memories from my youth he he .Thanks again iceblue.
shep
0
nodsnods, you and me both...!
Most of it is self help, learn as you go type stuff; no lessons or rigid programmes.
The only restriction is on numbers - you have to be recommended, and there has to be a place open.
0  |
 XP Security Updates - Nec...
|
Shields Up question
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
