sc12345
asked on
find4u.net IE hijacking
I am having trouble removing a virus which has hijacked my start page and also inserted a number of web sites into my favorites. Below is my Hijack this scan log. Any assistance would be greatly appreciated - I've been working on this for far too long.
Logfile of HijackThis v1.97.7
Scan saved at 10:55:49 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\SK9910DM .EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navap w32.exe
C:\Program Files\MusicMatch\MusicMatc h Jukebox\mm_tray.exe
C:\Program Files\Support.com\bin\tgcm d.exe
C:\Program Files\DIGStream\digstream. exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NewsStand\Reader\ADL Sched.exe
C:\WINDOWS\zhelp.exe
C:\Program Files\Internet Explorer\IEeng.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32. exe
C:\Program Files\iPod\bin\iPodService .exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://find4u.net/index.htm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,Shellnext = http://www.attbi.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.e xe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap w32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatc h Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcm d.exe" /server
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream. exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper. exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [NewsStand.Scheduler] "C:\Program Files\NewsStand\Reader\ADL Sched.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: TFTP3748
O4 - Global Startup: TFTP3960
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE10\ EXCEL.EXE/ 3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-0 0A024541EE 3} - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://software-dl.real.com/15f38e780df071174f01/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093314911656
O16 - DPF: {72C23FEC-3AF9-48FC-9597-2 41A8EBDFE0 A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-6 6C356FCEA3 5} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX .CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0 010DC2A624 3} (SecureLogin.SecureControl ) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D 18220D90AD 1} (StartFirstControl.CheckFi rst) - hcp://system/StartFirstCon trol.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.7050462963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
thanks.
Logfile of HijackThis v1.97.7
Scan saved at 10:55:49 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\SK9910DM
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navap
C:\Program Files\MusicMatch\MusicMatc
C:\Program Files\Support.com\bin\tgcm
C:\Program Files\DIGStream\digstream.
C:\WINNT\System32\spool\dr
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NewsStand\Reader\ADL
C:\WINDOWS\zhelp.exe
C:\Program Files\Internet Explorer\IEeng.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.
C:\Program Files\iPod\bin\iPodService
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.e
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatc
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcm
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digi
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [NewsStand.Scheduler] "C:\Program Files\NewsStand\Reader\ADL
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: TFTP3748
O4 - Global Startup: TFTP3960
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {238F6F83-B8B4-11CF-8771-0
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {72C23FEC-3AF9-48FC-9597-2
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-6
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
thanks.
ASKER
still working my way through it. first, the system would not allow me to fix the two TFTP files. It said the files may be in use. Second, as I go through the process re-enabling the applications one at a time, do I have to re-boot every time? thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes. i am all set. thanks very much for all of your help.
Please close the question if your issue is solved
Fix these
C:\WINDOWS\zhelp.exe
C:\Program Files\Internet Explorer\IEeng.exe -- not sure why this is here
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe -- not sure
O4 - Global Startup: TFTP3748
O4 - Global Startup: TFTP3960
Once you fix do these
a) Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except anti-virus.Reboot the machine and check if the webpage is still hijacked.
If not, then enable one at a time in the same startup tab and find the application or process that might cause this
at startup
b) Turn off system restore
c) Remove temporary internet files, folders and cookies
Also remove windows Temp files going to
1) Start --> run --> typein: %systemroot%/temp
2) Start --> run --> typein: %temp%
SR..