Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE doesnt work anymore after being hijacked


  • Please log in to reply
2 replies to this topic

#1 heetie

heetie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 17 January 2005 - 12:43 PM

Because I hadn't updated my antivirus software in a year being offline, my Explorer got hijacked when getting online.
Spysweeper, Zone Alarm and Norton finally managed to remove some of the trojans. Now they dont find anything anymore.

However , Internet Explorer still doesnt work. Outlook Express fonctions perfect. I have allready fixed some of the annoying things with HJT, but I have restored them to give you a full picture in this log.

Thank you in advance for any advice. Please mail it to me, so I have it through Outlook



Logfile of HijackThis v1.98.0
Scan saved at 23:13:20, on 15/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tom\My Documents\5. COMPUTER & DOWNLOADS\Antivirus & compclean\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=155214
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.pandora.be:80
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
O4 - HKLM\..\Run: [Device] C:\WINDOWS\socks.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\socks.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.alinto.com
O15 - Trusted Zone: http://www.google.com
O15 - Trusted Zone: http://www.symantec.com
O15 - Trusted Zone: http://us.f610.mail.yahoo.com
O15 - Trusted Zone: www.yahoo.com

Edited by heetie, 17 January 2005 - 12:49 PM.


BC AdBot (Login to Remove)

 


#2 LineOFire

LineOFire

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Location:San Antonio, Texas, United States
  • Local time:10:58 PM

Posted 17 January 2005 - 12:48 PM

Hello and welcome to BleepingComputer Forums. We hope you enjoy your stay here! :flowers:

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Your version of HijackThis is out of date. Download the newest version, HijackThis v1.99.0.
Be sure to replace your old HijackThis.exe with this new one by saving over it.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=155214
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
O4 - HKLM\..\Run: [Device] C:\WINDOWS\socks.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\socks.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\socks.exe

We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

"winasp.exe","winexec32.exe","dllman.exe","scvhost.exe"

If any of them are found delete them.

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :thumbsup:

#3 heetie

heetie
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 17 January 2005 - 12:54 PM

thank you already for this extremely rapid advice... I ll get back here tomorrow with new news and a log.... THANX




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users