spyware?? homepage hijack

Computing.Net > Forums > Security and Virus > spyware?? homepage hijack

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

spyware?? homepage hijack

Name: Dee
Date: November 25, 2003 at 09:19:21 Pacific
OS: Win2000
CPU/Ram: Pen4 1.6/256

Comment:

Have been working nearly a week to clean this machine. Ran Spy-bot and Ad-Aware and still have home page changes and icons added to desktop and favorites.Both programs come up clean. Down loaded and ran Hijack and here is the log. Pleeese take a look and help me out.
Logfile of HijackThis v1.97.7
Scan saved at 10:45:10 AM, on 11/25/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\svchost.exe
C:\winnt\rundll32.exe
F:\OFFICE97\OFFICE\OSA.exe
F:\OFFICE97\OFFICE\MSOFFICE.exe
C:\Program Files\Webroot\Washer\Formdata.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://strawberries.teensfestival.com/search2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.123.1:6588;https=192.168.123.1:6588;ftp=192.168.123.1:21;gopher=192.168.123.1:1080;socks=192.168.123.1:1080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINNT\msbjii.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dan"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dan"
O4 - Global Startup: Office Startup.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = ?
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) - http://ag-oas.kda.state.ks.us/jinitiator/jinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.4733680556
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://ag-oas.kda.state.ks.us/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{646CDBC4-6720-4487-BF2D-AA78ED052104}: NameServer = 151.164.70.201,65.68.97.1

Sponsored Link

Ads by Google

Response Number 1

Name: Tom41
Date: November 25, 2003 at 09:47:07 Pacific

Reply:

Hi Dee,
Download and run CWShredder:
CWShredder
After running CWShredder, run hijack again and post a new log.

Response Number 2

Name: Dee
Date: November 25, 2003 at 11:31:08 Pacific

Reply:

Ran CWShredder then Hijack again and here is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 1:35:22 PM, on 11/25/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\svchost.exe
C:\winnt\rundll32.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
F:\OFFICE97\OFFICE\OSA.exe
F:\OFFICE97\OFFICE\MSOFFICE.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.123.1:6588;https=192.168.123.1:6588;ftp=192.168.123.1:21;gopher=192.168.123.1:1080;socks=192.168.123.1:1080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINNT\msbjii.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Office Startup.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = ?
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) - http://ag-oas.kda.state.ks.us/jinitiator/jinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.4733680556
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://ag-oas.kda.state.ks.us/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{646CDBC4-6720-4487-BF2D-AA78ED052104}: NameServer = 151.164.70.201,65.68.97.1

Response Number 3

Name: Tom41
Date: November 25, 2003 at 12:18:05 Pacific

Reply:

Hi Dee,
Open the task manager and end process on C:\WINNT\svchost.exe, then delete the file.
** Notice the location.
Then run HijackThis again and check the following items. Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINNT\msbjii.dll
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
After restarting delete the following:
winmain.exe
C:\winnt\rundll32.exe

Response Number 4

Name: Dee
Date: November 25, 2003 at 13:25:29 Pacific

Reply:

Loooooking good. After reboot I deleted the C:\winnt\rundll32.exe OK, but couldn't find the winmain.exe.

Response Number 5

Name: Dee
Date: December 2, 2003 at 08:07:43 Pacific

Reply:

Thank you so much. You people are great and deserve so much more than just a thank you, but I want to make sure that you at least get that. Major thanks.
Dee

amt 1.35 kingsun ks-959 holtek ht27c512 70	trontec 201 holtek ht27c512-70 F2 REG:system.ini:UserInit
See More

Sponsored Link

Ads by Google

IP Address Ranges NIS 200...

New virus

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: spyware?? homepage hijack

Homepage Hijack: in.webcounter.cc

Summary

www.computing.net/answers/security/homepage-hijack-inwebcountercc/8174.html

Windows95 Homepage Hijack Solution

Summary

www.computing.net/answers/security/windows95-homepage-hijack-solution/12543.html

Homepage Hijack

Summary

www.computing.net/answers/security/homepage-hijack/6906.html

From the Geek Dictionary
Guru Meditation - The Amiga counterpart of the Windows' BSOD(Blue Screen of Death)...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Reboot problems

netdiag doesnot work

bootin up

how to make international call on local cost

no display

All Awaiting Reply

Tom's News
Man Pleads Guilty Selling Fake Chips to Navy

Threatening Rap on YouTube Lands Two in Jail

New Final Fantasy XIII Trailer is 5 Minutes Long

Guy Quits Job With Error Message

Verizon Takes on Sprint's 3G Network (And Wins)

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE