Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

another hijack this log


  • This topic is locked This topic is locked
1 reply to this topic

#1 dusted justin

dusted justin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 25 June 2004 - 06:43 PM

it would seem that i've picked up the home search assistent browser hijacker. i can't get on ie6 without it causing a stack dump and my cdrom won't work. i've downloaded adaware with the latest update and i ran norton antivirus, do i really need spybot and cws shredder to get rid of this? i've also tried the pandaware online virus scanner and i can't get it to work.


Logfile of HijackThis v1.97.7
Scan saved at 3:47:35 PM, on 6/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\APIZJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NETWU32.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\SYSTX32.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 2000\QSHELF2K.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\COMMON FILES\MOZILLA.ORG\GRE\1.4F_2003062408\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.finetimesearch.com/main/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yiu8onyj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yiu8onyj.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {1EAE9370-D325-A9C3-9A9A-811F826EBB31} - C:\WINDOWS\SYSTEM\SYSBW32.DLL (file missing)
O2 - BHO: (no name) - {F1EA966D-352F-FE93-0567-78A699A41D27} - C:\WINDOWS\SYSTEM\SYSTX32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [JAVATK.EXE] C:\WINDOWS\SYSTEM\JAVATK.EXE
O4 - HKLM\..\Run: [SYSTX32.EXE] C:\WINDOWS\SYSTEM\SYSTX32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SYSZN.EXE] C:\WINDOWS\SYSZN.EXE
O4 - HKLM\..\RunServices: [D3DA.EXE] C:\WINDOWS\SYSTEM\D3DA.EXE
O4 - HKLM\..\RunServices: [APPPA.EXE] C:\WINDOWS\SYSTEM\APPPA.EXE
O4 - HKLM\..\RunServices: [IPDG32.EXE] C:\WINDOWS\SYSTEM\IPDG32.EXE
O4 - HKLM\..\RunServices: [ADDOA32.EXE] C:\WINDOWS\SYSTEM\ADDOA32.EXE
O4 - HKLM\..\RunServices: [SDKDT32.EXE] C:\WINDOWS\SYSTEM\SDKDT32.EXE
O4 - HKLM\..\RunServices: [ATLAG.EXE] C:\WINDOWS\SYSTEM\ATLAG.EXE
O4 - HKLM\..\RunServices: [WINKA32.EXE] C:\WINDOWS\SYSTEM\WINKA32.EXE
O4 - HKLM\..\RunServices: [IEJV.EXE] C:\WINDOWS\IEJV.EXE
O4 - HKLM\..\RunServices: [SYSWO.EXE] C:\WINDOWS\SYSTEM\SYSWO.EXE
O4 - HKLM\..\RunServices: [SDKTQ32.EXE] C:\WINDOWS\SDKTQ32.EXE
O4 - HKLM\..\RunServices: [WINAD.EXE] C:\WINDOWS\SYSTEM\WINAD.EXE
O4 - HKLM\..\RunServices: [IPUU.EXE] C:\WINDOWS\IPUU.EXE
O4 - HKLM\..\RunServices: [CRVF.EXE] C:\WINDOWS\SYSTEM\CRVF.EXE
O4 - HKLM\..\RunServices: [ATLHW.EXE] C:\WINDOWS\ATLHW.EXE
O4 - HKLM\..\RunServices: [CRQP.EXE] C:\WINDOWS\CRQP.EXE
O4 - HKLM\..\RunServices: [SDKFK32.EXE] C:\WINDOWS\SDKFK32.EXE
O4 - HKLM\..\RunServices: [CRNG32.EXE] C:\WINDOWS\CRNG32.EXE
O4 - HKLM\..\RunServices: [SYSHI32.EXE] C:\WINDOWS\SYSTEM\SYSHI32.EXE
O4 - HKLM\..\RunServices: [NTZA.EXE] C:\WINDOWS\NTZA.EXE
O4 - HKLM\..\RunServices: [APIZJ32.EXE] C:\WINDOWS\APIZJ32.EXE
O4 - HKLM\..\RunServices: [NETWU32.EXE] C:\WINDOWS\NETWU32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2000012...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/us/sa/common/c...n/bin/cabsa.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.5834027778
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_0.ocx
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = universityucc.org
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = universityucc.org
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:08:29 PM

Posted 25 June 2004 - 07:50 PM

You really should run Adaware and Spybot before trying to do any manual removal. It only makes sense to let the tools do the work for you, and then clean up the remnants afterwards. Much less likely to mess things up in that case.:D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users