Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me to remove browser hijack


  • This topic is locked This topic is locked
11 replies to this topic

#1 APVM

APVM

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 June 2004 - 02:48 AM

Please help me to remove browser hijack, I've try adware spybot and nothing can help here is my hijack this log, please help TIA

Logfile of HijackThis v1.97.7
Scan saved at 3:43:35 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\acoustic.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\mfcjz.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\addrp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ynyyl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ynyyl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ynyyl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ynyyl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ynyyl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ynyyl.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DE09C871-7AD6-BF98-DB2E-7655E7D848F1} - C:\WINDOWS\system32\mfcjz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mfcjz.exe] C:\WINDOWS\system32\mfcjz.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O9 - Extra button: ATI TV (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14edc9e88cd5e3802416/...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37869.470462963
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://sympreg.bell.ca/HSEOrder/systemChec...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 16 June 2004 - 01:07 PM

Ok this is what i need you to do.

Create a directory on your hard drive called c:\pslist

Download pslist from this link:

http://www.sysinternals.com/files/pslist.zip

save and extract the files into c:\pslist

Click on start, then run, type cmd.exe and press OK.

In the steps below if you see a $, that means its a space.

At the cmd prompt I want you to:

Type cd$\pslist and press enter

Type pslist$>$pslist.txt and press enter.

Type notepad$pslist.txt and press enter.

Remember the $ are really spaces when you are typing.

When the notepad opens please paste the contents of the notepad into a reply to this topic with a brand new hijackthis log.

#3 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 June 2004 - 01:20 PM

Thank you very much for your help but instead of trying to remove this thing, I decided to reinstall Windows XP instead, now I am trying to install stuff and remove stuff that may be harmful in the future.

I am now going to remove XP Java and install Sun Java

Going to install BHODemon, Spyware blaster, AVG

Any suggestions will be highly appreciated and thank you again for your help and I must say this is a life safer website and forum TIA

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 16 June 2004 - 01:36 PM

Definitely install Spybot and Ad-Aware. Tutorials for both can be found in the tutorial section.

Also make sure you install a firewall like the free kerio one. I would stay away from Zone alarm right now as there are a lot of reported problems with the latest update.

#5 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 June 2004 - 02:43 PM

I am behind a router so do I still have to install a firewall, since I play a lot of net games (Battlefield 1942) will firewall affect me? TIA

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 16 June 2004 - 04:14 PM

If you have a router then you do not need the firewall for inbound protection. The only time you would gain the benefit of the software firewall is seeing what programs on your machine are attempting to use the internet.

#7 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 June 2004 - 12:23 AM

Thank you very much.

#8 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 June 2004 - 02:55 PM

This is my hijackthis log after XP reinstall, does it looks clean? TIA

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\acoustic.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
G:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
D:\nbpro\nbpro.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Adware Tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbs.marketwatch.com/discussions/msg...7&boardId=49109
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ADWARE~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "G:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon.lnk = C:\Adware Tools\BHODemon\BHODemon.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8154.3686226852

#9 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 June 2004 - 02:56 PM

thanks again

Edited by APVM, 17 June 2004 - 02:57 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 17 June 2004 - 03:06 PM

Looks great. Also install SpywareBlaster. A tutorial for it can be found on this site

#11 APVM

APVM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 June 2004 - 04:22 PM

I have Spywareblaster and did setup according to your turtorial, do I need to run it at background in order for the setting to work? TIA

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 17 June 2004 - 07:54 PM

Nope just run it once in a while..update it, and apply the changes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users