Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http:///?%20www.whatever appearing in address bar


  • Please log in to reply
3 replies to this topic

#1 Max

Max

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 20 July 2005 - 08:38 PM

whenever i try to get to a website, say http://www.website.com, it turns into http:///?%20www.website.com. I've run a few anti-spyware programs, with no luck. I just downloaded and ran HijackThis for the first time, and I have no idea what to remove or keep. Here's the log I got:



Logfile of HijackThis v1.99.1
Scan saved at 8:18:25 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\userint32.exe
C:\WINDOWS\system32\mswkst32.exe
c:\windows\system32\repyxol.exe
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\mscarrt32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\zaprdjxk6.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rice.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.mail.rice.edu/twig/owlnet
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {156D2521-E160-39B8-51DD-16EC67C6A139} - C:\WINDOWS\system32\hocveakq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {70F70BDF-E66B-C708-D93B-A1571897ECE3} - C:\WINDOWS\system32\xekhqzbh.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {800D3062-E950-D35B-B79E-221A6960759C} - C:\WINDOWS\system32\cvmdmjmf.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Microsoft Updat3] mswkst32.exe
O4 - HKLM\..\Run: [blxyjg] c:\windows\system32\repyxol.exe r
O4 - HKLM\..\RunServices: [Microsoft Updat3] mswkst32.exe
O4 - HKCU\..\Run: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O4 - HKCU\..\RunServices: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/064b2c8294961e...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29itg.zcce.compaq.com/falco/help...rt/SysQuery.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe
O23 - Service: qxzllqmwtkyd (ydknzqoa6) - Unknown owner - C:\WINDOWS\system32\zaprdjxk6.exe



Any help would be greatly appreciated. Thanks!

-Max

BC AdBot (Login to Remove)

 


#2 jahewi

jahewi

    Anti-Malware Helper


  • Members
  • 52 posts
  • OFFLINE
  •  
  • Location:Always nearby
  • Local time:03:19 AM

Posted 21 July 2005 - 08:28 AM

Hi Max,

- Be sure that all files and folders are visible:
- Click Start > Control Panel > Tools > Folder Options > View
- At Hidden files and folders, select 'Show hidden files and folders'
- Unmark 'Hide extentions for known file types'
- Click 'Apply'and then 'OK'.

- Start HijackThis and click 'Scan'.

- Only select the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: (no name) - {156D2521-E160-39B8-51DD-16EC67C6A139} - C:\WINDOWS\system32\hocveakq.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {70F70BDF-E66B-C708-D93B-A1571897ECE3} - C:\WINDOWS\system32\xekhqzbh.dll (file missing)
O2 - BHO: (no name) - {800D3062-E950-D35B-B79E-221A6960759C} - C:\WINDOWS\system32\cvmdmjmf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Microsoft Updat3] mswkst32.exe
O4 - HKLM\..\Run: [blxyjg] c:\windows\system32\repyxol.exe r
O4 - HKLM\..\RunServices: [Microsoft Updat3] mswkst32.exe
O4 - HKCU\..\Run: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O4 - HKCU\..\RunServices: [IntelAMD Signal Processor2] C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe
O23 - Service: qxzllqmwtkyd (ydknzqoa6) - Unknown owner - C:\WINDOWS\system32\zaprdjxk6.exe


- IMPORTANT: Close all windows, except HijackThis.

- In HijackThis, click 'Fix Checked'.

- Restart your computer in Save Mode

- Delete the following Files:
C:\WINDOWS\userint32.exe
C:\WINDOWS\tct101.dll
C:\WINDOWS\system32\hocveakq.dll
c:\windows\system32\repyxol.exe
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\mscarrt32.exe
C:\WINDOWS\system32\zaprdjxk6.exe

- Find the following file and delete it: mswkst32.exe

- Restart your computer in Normal Mode and post a new HijackThis-log in this topic.


Good luck, Jan :-)
Posted Image
... the best defence against malware is common sense ... ;)

#3 Max

Max
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 22 July 2005 - 12:48 PM

That worked great! Thanks for all the help :thumbsup:

-Max

#4 jahewi

jahewi

    Anti-Malware Helper


  • Members
  • 52 posts
  • OFFLINE
  •  
  • Location:Always nearby
  • Local time:03:19 AM

Posted 22 July 2005 - 01:04 PM

Hi Max,

That's great and you're very welcome :thumbsup:

But can you post another HijackThis-log for me to check if all malware is really removed?


Jan :flowers:
Posted Image
... the best defence against malware is common sense ... ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users