random ie hijacks help

Computing.Net > Forums > Security and Virus > random ie hijacks help

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

random ie hijacks help

Name: adam w. kempa
Date: November 1, 2003 at 09:14:57 Pacific
OS: win 98
CPU/Ram: p2

Comment:

I'm just wondering if anyone can help me out here, i've run both spybot and adaware in both safe and normal modes. Both got rid of everything they found. I'm still experiencing all kinds of weird IE behaviour. I've pasted a copy of a Hijackthis log below. Thanks in advance for any help.
Cheers,
ak
Logfile of HijackThis v1.97.3
Scan saved at 12:06:00 PM, on 11/1/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SSDPSRV.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\GWHOTKEY.exe
C:\WINDOWS\RUNDLL32.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.exe
C:\WINDOWS\SYSTEM\FPDISP4A.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\HIGHCRITERIA\TOTALRECORDER\TOTRECSCHED.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.exe
C:\WINDOWS\MWSVM.exe
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\OHJPVFCW.exe
C:\WINDOWS\SYSTEM\HFTV.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=165E03FB-B675-43C9-BE0B-09A78B04B977&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {FF74BBA0-0B27-11D8-ACA6-00095B0CDDFE} - C:\WINDOWS\SYSTEM\RICHELD.DLL
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL (file missing)
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
O3 - Toolbar: (no name) - {1B13BF1B-A528-4CC4-B5BF-553CAA6487AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
O4 - HKLM\..\Run: [2HJ@3LK5JSSBN#] C:\WINDOWS\SYSTEM\LsxI52.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Aeaa] C:\WINDOWS\Profiles\administrator\Application Data\rost.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37879.3241898148
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/ASH19108/ashton.cab

Sponsored Link

Ads by Google

Response Number 1

Name: Heidi Propp
Date: November 1, 2003 at 13:47:30 Pacific

Reply:

Looks like you might be another victim of the CoolWeb search hijack. The following sites may help:
CoolWeb Search Chronicles

Response Number 2

Name: Abnormal
Date: November 2, 2003 at 08:45:15 Pacific

Reply:

Run cwshredder and post a new log,
you can get it at the link Heidi posted.

Response Number 3

Name: adam kempa
Date: November 2, 2003 at 09:26:51 Pacific

Reply:

Ran CWshredder, still getting tons of pop ups and attempts to install programs when I leave my computer overnight. Here's a new log: AGain, thanks in advance for any help.
Cheers,
ak

Logfile of HijackThis v1.97.3
Scan saved at 12:22:51 PM, on 11/2/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SSDPSRV.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\GWHOTKEY.exe
C:\WINDOWS\RUNDLL32.exe
C:\WINDOWS\SYSTEM\FPDISP4A.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\HIGHCRITERIA\TOTALRECORDER\TOTRECSCHED.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.exe
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\HVYU.exe
C:\WINDOWS\SYSTEM\IFAUWLE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchbus.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=165E03FB-B675-43C9-BE0B-09A78B04B977&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {FF74BBA0-0B27-11D8-ACA6-00095B0CDDFE} - C:\WINDOWS\SYSTEM\RICHELD.DLL
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL (file missing)
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
O3 - Toolbar: (no name) - {1B13BF1B-A528-4CC4-B5BF-553CAA6487AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
O4 - HKLM\..\Run: [2HJ@3LK5JSSBN#] C:\WINDOWS\SYSTEM\JfmI8U2.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Aeaa] C:\WINDOWS\Profiles\administrator\Application Data\rost.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37879.3241898148
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON29106/payload2.cab

Response Number 4

Name: smithdk
Date: November 2, 2003 at 09:50:16 Pacific

Reply:

Fix these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
You have a lot of spyware loading in items marked 04. Check against this list:
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

Response Number 5

Name: Abnormal
Date: November 2, 2003 at 10:41:10 Pacific

Reply:

Adding to what smithdk posted,
these are nasty.
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
Keywords hijacker

ie hijack ie hijacked by antivirus 2009 fix ie hijack	how to remove hijack.help help nosmhelp hijack.help help nosmhelp hijack.help
See More

Response Number 6

Name: alexhho
Date: November 2, 2003 at 11:18:39 Pacific

Reply:

I have the same problem. Both Spybot and Ad-aware are no help. I would really appreciate some assistance here. Thank you.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\HotSync.exe
C:\Program Files\StayLive\StayLive.exe
C:\Program Files\Highstream\Dunnow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Games\Burning Guide\Spybotsd12-adaware\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Paula Lin\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?cxlow (obfuscated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Games\BURNIN~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Games\Burning Guide\Clonecd4.2.0.2\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Stay Live 2000.lnk = C:\Program Files\StayLive\StayLive.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HotSync.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C28918BC-9ABF-4754-AA57-2F5BB4F1FB4E}: NameServer = 205.171.3.65 205.171.27.251
O19 - User stylesheet: C:\WINDOWS\Web\win.def

Response Number 7

Name: alexhho
Date: November 2, 2003 at 11:40:03 Pacific

Reply:

Sorry! This is the logfile after CWShredder was run. Thanks.
Logfile of HijackThis v1.97.3
Scan saved at 1:39:01 PM, on 11/2/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\HotSync.exe
C:\Program Files\StayLive\StayLive.exe
C:\Program Files\Highstream\Dunnow.exe
C:\Documents and Settings\Paula Lin\Local Settings\Temp\Temporary Directory 1 for cwshredder1.3.zip\CWShredder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Paula Lin\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Games\BURNIN~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Games\Burning Guide\Clonecd4.2.0.2\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Stay Live 2000.lnk = C:\Program Files\StayLive\StayLive.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HotSync.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.4811458333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C28918BC-9ABF-4754-AA57-2F5BB4F1FB4E}: NameServer = 205.171.3.65 205.171.27.251

Response Number 8

Name: Abnormal
Date: November 2, 2003 at 14:51:06 Pacific

Reply:

alexhho, your second post looks ok.
For you or others stopping by, look below.
So how did I get infected in the first place?

Response Number 9

Name: alexhho
Date: November 2, 2003 at 15:40:32 Pacific

Reply:

Thank you, Abnormal. Take care.

Sponsored Link

Ads by Google

tracert, 1st hop

how can u tell if u have ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: random ie hijacks help

IE Browser Hijacked - HELP!!!

Summary

www.computing.net/answers/security/ie-browser-hijacked-help/8743.html

IE hijacked

Summary

www.computing.net/answers/security/ie-hijacked/2252.html

Virus, spyware and Hijack help

Summary

www.computing.net/answers/security/virus-spyware-and-hijack-help/12569.html

From the Geek Dictionary
OMG - An acronym commonly used to represent Oh My Goodness or Oh My God. This is ...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
rename folder with time and date in DOS

RAM replacement

Completely deleting a rootkit REG key

@Justin: Subject Line Code

I need mega help

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

TV Market to Launch Cross-Platform App Store

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

Guy Quits Job With Error Message

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE