Solved

WinXP IE maybe hijacked

Posted on 2004-04-23
12
1,037 Views
Last Modified: 2012-05-04
Hi, I don't know but I think my WinXP IE is been hijacked. I haven't used my XP box for about five months, I started using it three weeks ago and everytime I launch IE the homepage is http://www.enjoysearch.info/, I tried to change that and it just keeps coming back, I use Adaware 6.0 and it can't find anything. The other wierd thing is that when I type the DN 'www.google.com' I get totally something different i.e. phpmyadmin, phppgadmin etc.. Could someone tell me if you can what is happening with my IE, I feel like it is been hijacked and don't know how to prevent it from been hijacked.

Thanks in advance!!
0
Comment
Question by:ridak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
12 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10902733
Hello ridak =)

Download Hijacthis and run the software, save the log file and post here
http://www.softpedia.com/public/cat/10/17/10-17-69.shtml

!! GOOD LUCK !!
0
 

Author Comment

by:ridak
ID: 10902821
Logfile of HijackThis v1.97.7
Scan saved at 3:00:21 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\jushed32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-113111111111} - mhtml:file://C:\NO_SUCH_MHT.MHT!http://www.enjoysearch.info/gfe/winlogon.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
-----------------------------------------------------------------------------------------------

Hello SheharyaarSaahil, thanks for the reply, there is the log file for hijackthis.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10902889
Put a check mark against these entries and click on FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-113111111111} - mhtml:file://C:\NO_SUCH_MHT.MHT!http://www.enjoysearch.info/gfe/winlogon.exe
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 15

Expert Comment

by:Tomeeboy
ID: 10902913
Looks like you probably have some Malware on your system.  I would first do a full virus scan if you haven't already:

http://housecall.trendmicro.com/

See if anything is detected and clean anything that is found.

Then, download/install/run the following:

Spybot: http://www.softpedia.com/public/cat/10/17/10-17-21.shtml
Adaware: http://www.softpedia.com/public/cat/10/17/10-17-58.shtml

Make sure that you update both of those programs after installing them so that you have the latest definition files.  These three things should clean everything up for the most part.  I would post an updated HijackThis log after you're done so we can see if there is anything left over that the programs couldn't get rid of.

Good luck!

Tom
0
 

Author Comment

by:ridak
ID: 10903014
Logfile of HijackThis v1.97.7
Scan saved at 3:18:25 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\jushed32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe

O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
After the fix, this is the log file when I ran the program a second time.
The enjoysearch homepage is gone but I seem to be having the same issue in accessing "www.google.com" I get the same web page which displays:

Web Utilities
WebShell3

DB Utilities
phpMyAdmin - Admin interface for MySQL
phpPgAdmin Admin interface for PostgreSQL

EMail Utilities
IMP - mail client
Change your POP3 password
=======================================================Thanks in advance!!

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903090
That's good that it was removed, adn now u have to FIX these entries.

O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com


After fixing, reboot the machine, and check for the problem, if it is gone then it's Superb. otherwise download this software and run it.

CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html 
0
 

Author Comment

by:ridak
ID: 10903221
Hi SheharyaarSaahil, I fixed the above entries and rebooted the system but after rebooting guess what happen, well take look at the Log file.
Entries R1 and R0 are back again with the same webpage as my IE's homepage

The good news is that accessing "www.google.com" is okay now and it is able to retrieve the contents of that page correctly.

=======================================================
Logfile of HijackThis v1.97.7
Scan saved at 3:41:36 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\jushed32.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 4 for hijackthis1977.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903229
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903268
> C:\WINDOWS\jushed32.exe


Ok i have found now, that what is creating problems for u, it is the above file, u have to remove it, read these instructions, i ahev copied form another forum site,

"I just got rid of this nasty from my PC. It is not related to java, although it was meant to resemble the java program jusched.exe. In fact, that's what tipped me off that this was the culprit - The java programs don't run from c:\windows - They all run from C:\Program Files\Java\<version>\bin\ directory.

Pest Patrol, AdAware 6.0 and Spybot S&D all missed this one. It is a browser hijacker that kept setting my home page to www.enjoysearch.info, as well as changing my default search engines.

Here's how I killed it: Run Task Manager and kill jushed32.exe with the End Process button. Then run regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run. Delete the key that references jushed32.exe (mine was located in c:\windows). Then delete the file c:\windows\jushed32.exe"
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 45 total points
ID: 10903277
After removing it by the above method, reboot the machine, and run hijack, and post the log file, so we can check if it comes back or not ??
0
 

Author Comment

by:ridak
ID: 10903393
Yeah that did it, and here is the log file just to show that it no longer shows up.
=====================================================
Logfile of HijackThis v1.97.7
Scan saved at 4:01:19 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 5 for hijackthis1977.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
thanks for your help SheharyaarSaahil, it's nice to feel free again.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903416
Yeah it is Clean Now :)

!! HAVE A NICE TIME !!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question