BleepingComputer.com: http:///?%20www.whatever appearing in address bar

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

http:///?%20www.whatever appearing in address bar help with a hijackthis log

#1 User is offline   Max 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 20-July 05

Posted 20 July 2005 - 08:38 PM

whenever i try to get to a website, say http://www.website.com, it turns into http:///?%20www.website.com. I've run a few anti-spyware programs, with no luck. I just downloaded and ran HijackThis for the first time, and I have no idea what to remove or keep. Here's the log I got:



Logfile of HijackThis v1.99.1
Scan saved at 8:18:25 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\userint32.exe
C:\WINDOWS\system32\mswkst32.exe
c:\windows\system32\repyxol.exe
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\mscarrt32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\zaprdjxk6.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rice.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.mail.rice.edu/twig/owlnet
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {156D2521-E160-39B8-51DD-16EC67C6A139} - C:\WINDOWS\system32\hocveakq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {70F70BDF-E66B-C708-D93B-A1571897ECE3} - C:\WINDOWS\system32\xekhqzbh.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {800D3062-E950-D35B-B79E-221A6960759C} - C:\WINDOWS\system32\cvmdmjmf.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Microsoft Updat3] mswkst32.exe
O4 - HKLM\..\Run: [blxyjg] c:\windows\system32\repyxol.exe r
O4 - HKLM\..\RunServices: [Microsoft Updat3] mswkst32.exe
O4 - HKCU\..\Run: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O4 - HKCU\..\RunServices: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/064b2c8294961e...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29itg.zcce.compaq.com/falco/help...rt/SysQuery.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe
O23 - Service: qxzllqmwtkyd (ydknzqoa6) - Unknown owner - C:\WINDOWS\system32\zaprdjxk6.exe



Any help would be greatly appreciated. Thanks!

-Max

#2 User is offline   jahewi 

  • Anti-Malware Helper
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 52
  • Joined: 01-June 05
  • Location:Always nearby

Posted 21 July 2005 - 08:28 AM

Hi Max,

- Be sure that all files and folders are visible:
- Click Start > Control Panel > Tools > Folder Options > View
- At Hidden files and folders, select 'Show hidden files and folders'
- Unmark 'Hide extentions for known file types'
- Click 'Apply'and then 'OK'.

- Start HijackThis and click 'Scan'.

- Only select the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: (no name) - {156D2521-E160-39B8-51DD-16EC67C6A139} - C:\WINDOWS\system32\hocveakq.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {70F70BDF-E66B-C708-D93B-A1571897ECE3} - C:\WINDOWS\system32\xekhqzbh.dll (file missing)
O2 - BHO: (no name) - {800D3062-E950-D35B-B79E-221A6960759C} - C:\WINDOWS\system32\cvmdmjmf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Microsoft Updat3] mswkst32.exe
O4 - HKLM\..\Run: [blxyjg] c:\windows\system32\repyxol.exe r
O4 - HKLM\..\RunServices: [Microsoft Updat3] mswkst32.exe
O4 - HKCU\..\Run: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O4 - HKCU\..\RunServices: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe
O23 - Service: qxzllqmwtkyd (ydknzqoa6) - Unknown owner - C:\WINDOWS\system32\zaprdjxk6.exe


- IMPORTANT: Close all windows, except HijackThis.

- In HijackThis, click 'Fix Checked'.

- Restart your computer in Save Mode

- Delete the following Files:
C:\WINDOWS\userint32.exe
C:\WINDOWS\tct101.dll
C:\WINDOWS\system32\hocveakq.dll
c:\windows\system32\repyxol.exe
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\mscarrt32.exe
C:\WINDOWS\system32\zaprdjxk6.exe

- Find the following file and delete it: mswkst32.exe

- Restart your computer in Normal Mode and post a new HijackThis-log in this topic.


Good luck, Jan :-)
Posted Image
... the best defence against malware is common sense ... ;)

#3 User is offline   Max 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 20-July 05

Posted 22 July 2005 - 12:48 PM

That worked great! Thanks for all the help :thumbsup:

-Max

#4 User is offline   jahewi 

  • Anti-Malware Helper
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 52
  • Joined: 01-June 05
  • Location:Always nearby

Posted 22 July 2005 - 01:04 PM

Hi Max,

That's great and you're very welcome :thumbsup:

But can you post another HijackThis-log for me to check if all malware is really removed?


Jan :flowers:
Posted Image
... the best defence against malware is common sense ... ;)

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users