Solved

WinXP IE maybe hijacked

Posted on 2004-04-23
12
982 Views
Last Modified: 2012-05-04
Hi, I don't know but I think my WinXP IE is been hijacked. I haven't used my XP box for about five months, I started using it three weeks ago and everytime I launch IE the homepage is http://www.enjoysearch.info/, I tried to change that and it just keeps coming back, I use Adaware 6.0 and it can't find anything. The other wierd thing is that when I type the DN 'www.google.com' I get totally something different i.e. phpmyadmin, phppgadmin etc.. Could someone tell me if you can what is happening with my IE, I feel like it is been hijacked and don't know how to prevent it from been hijacked.

Thanks in advance!!
0
Comment
Question by:ridak
  • 7
  • 4
12 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10902733
Hello ridak =)

Download Hijacthis and run the software, save the log file and post here
http://www.softpedia.com/public/cat/10/17/10-17-69.shtml

!! GOOD LUCK !!
0
 

Author Comment

by:ridak
ID: 10902821
Logfile of HijackThis v1.97.7
Scan saved at 3:00:21 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\jushed32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-113111111111} - mhtml:file://C:\NO_SUCH_MHT.MHT!http://www.enjoysearch.info/gfe/winlogon.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
-----------------------------------------------------------------------------------------------

Hello SheharyaarSaahil, thanks for the reply, there is the log file for hijackthis.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10902889
Put a check mark against these entries and click on FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-113111111111} - mhtml:file://C:\NO_SUCH_MHT.MHT!http://www.enjoysearch.info/gfe/winlogon.exe
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 10902913
Looks like you probably have some Malware on your system.  I would first do a full virus scan if you haven't already:

http://housecall.trendmicro.com/

See if anything is detected and clean anything that is found.

Then, download/install/run the following:

Spybot: http://www.softpedia.com/public/cat/10/17/10-17-21.shtml
Adaware: http://www.softpedia.com/public/cat/10/17/10-17-58.shtml

Make sure that you update both of those programs after installing them so that you have the latest definition files.  These three things should clean everything up for the most part.  I would post an updated HijackThis log after you're done so we can see if there is anything left over that the programs couldn't get rid of.

Good luck!

Tom
0
 

Author Comment

by:ridak
ID: 10903014
Logfile of HijackThis v1.97.7
Scan saved at 3:18:25 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\jushed32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe

O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
After the fix, this is the log file when I ran the program a second time.
The enjoysearch homepage is gone but I seem to be having the same issue in accessing "www.google.com" I get the same web page which displays:

Web Utilities
WebShell3

DB Utilities
phpMyAdmin - Admin interface for MySQL
phpPgAdmin Admin interface for PostgreSQL

EMail Utilities
IMP - mail client
Change your POP3 password
=======================================================Thanks in advance!!

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903090
That's good that it was removed, adn now u have to FIX these entries.

O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com


After fixing, reboot the machine, and check for the problem, if it is gone then it's Superb. otherwise download this software and run it.

CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:ridak
ID: 10903221
Hi SheharyaarSaahil, I fixed the above entries and rebooted the system but after rebooting guess what happen, well take look at the Log file.
Entries R1 and R0 are back again with the same webpage as my IE's homepage

The good news is that accessing "www.google.com" is okay now and it is able to retrieve the contents of that page correctly.

=======================================================
Logfile of HijackThis v1.97.7
Scan saved at 3:41:36 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\jushed32.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 4 for hijackthis1977.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903229
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903268
> C:\WINDOWS\jushed32.exe


Ok i have found now, that what is creating problems for u, it is the above file, u have to remove it, read these instructions, i ahev copied form another forum site,

"I just got rid of this nasty from my PC. It is not related to java, although it was meant to resemble the java program jusched.exe. In fact, that's what tipped me off that this was the culprit - The java programs don't run from c:\windows - They all run from C:\Program Files\Java\<version>\bin\ directory.

Pest Patrol, AdAware 6.0 and Spybot S&D all missed this one. It is a browser hijacker that kept setting my home page to www.enjoysearch.info, as well as changing my default search engines.

Here's how I killed it: Run Task Manager and kill jushed32.exe with the End Process button. Then run regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run. Delete the key that references jushed32.exe (mine was located in c:\windows). Then delete the file c:\windows\jushed32.exe"
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 45 total points
ID: 10903277
After removing it by the above method, reboot the machine, and run hijack, and post the log file, so we can check if it comes back or not ??
0
 

Author Comment

by:ridak
ID: 10903393
Yeah that did it, and here is the log file just to show that it no longer shows up.
=====================================================
Logfile of HijackThis v1.97.7
Scan saved at 4:01:19 PM, on 4/23/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Documents and Settings\Dua\Local Settings\Temp\Temporary Directory 5 for hijackthis1977.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\btohwfbi.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.8230439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
=======================================================
thanks for your help SheharyaarSaahil, it's nice to feel free again.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 10903416
Yeah it is Clean Now :)

!! HAVE A NICE TIME !!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now