olly7801
asked on
persistent hijack. Can you help me with this logfile
Hi,
I have a persistent hijacked homepage - everyh time I open a browser window I get redirected. My spybot, adaware SE don't seem to solve the root cause of the problem. Is there and .exe file that I have to delete? Here is my logfile from HijackThis:
ogfile of HijackThis v1.97.7
Scan saved at 17:45:21, on 18/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\System32\hphmon 05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\WINDOWS\System32\nvsvc3 2.exe
C:\WINDOWS\System32\rundll 32.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hij ackThis.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-1 4154ECE70A C} - C:\Program Files\MyWay\myBar\2.bin\MY BAR.DLL (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-40 93-8EE8-61 64457517F0 }\hphupd05 .exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon 05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex e
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind _XP.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper. exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Corel Network monitor worker (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=14&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=14&q=
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2 407B42F57C 9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1092572674625
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38214.2250578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9 B663A28DFC B} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
I have a persistent hijacked homepage - everyh time I open a browser window I get redirected. My spybot, adaware SE don't seem to solve the root cause of the problem. Is there and .exe file that I have to delete? Here is my logfile from HijackThis:
ogfile of HijackThis v1.97.7
Scan saved at 17:45:21, on 18/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi
C:\windows\system\hpsysdrv
C:\WINDOWS\System32\hphmon
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\rundll
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\HPPAVI~1\Pavil
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hij
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-40
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Corel Network monitor worker (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=14&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=14&q=
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9
Hello olly7801 =)
Add this line also in Fix list, this one is also a nasty >:(
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-1 4154ECE70A C} - C:\Program Files\MyWay\myBar\2.bin\MY BAR.DLL (file missing)
and u are using the old version of hijackthis, so from next time u use Hijackthis, use the latest version, i.e v1.98.2 >> http://www.spychecker.com/program/hijackthis.html
and then post the LOG here >> http://www.hijackthis.de/index.php?langselect=english
it will automatically analyse it for u,,,,, so u will be able to fix the entries urself, but if still u will not get it working, post the log here for us to analyse :)
!! GOOD LUCK !!
Add this line also in Fix list, this one is also a nasty >:(
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-1
and u are using the old version of hijackthis, so from next time u use Hijackthis, use the latest version, i.e v1.98.2 >> http://www.spychecker.com/program/hijackthis.html
and then post the LOG here >> http://www.hijackthis.de/index.php?langselect=english
it will automatically analyse it for u,,,,, so u will be able to fix the entries urself, but if still u will not get it working, post the log here for us to analyse :)
!! GOOD LUCK !!
ASKER
I have tried all of the above to no avail.
Sunray - even after disabling all the applications the problem still persists (homepage of mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
) before I bring each one back.
SheharyaarSaahil - I posted the log and performed the fixes, which also had no luck - now the homepage section of Control Panel>Internet Options>General is greyed out with the above homepage locked in.
Here is my latest log - when I delete the files sugessted above they reappear every time I open internet explorer: aaaggh!!
Logfile of HijackThis v1.97.7
Scan saved at 10:25:44, on 19/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc3 2.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\System32\hphmon 05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\rundll 32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Altnet\DOWNLO~ 1\asm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\GetRight\getri ght.exe
C:\PROGRA~1\GetRight\getri ght.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hij ackThis.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex e
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper. exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.ex e
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload. htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.ht m
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=14&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=14&q=
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2 407B42F57C 9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1092572674625
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38214.2250578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9 B663A28DFC B} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
Sunray - even after disabling all the applications the problem still persists (homepage of mk:@MSITStore:C:\spe\start
) before I bring each one back.
SheharyaarSaahil - I posted the log and performed the fixes, which also had no luck - now the homepage section of Control Panel>Internet Options>General is greyed out with the above homepage locked in.
Here is my latest log - when I delete the files sugessted above they reappear every time I open internet explorer: aaaggh!!
Logfile of HijackThis v1.97.7
Scan saved at 10:25:44, on 19/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc3
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi
C:\windows\system\hpsysdrv
C:\WINDOWS\System32\hphmon
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuaucl
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\rundll
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPPAVI~1\Pavil
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Altnet\DOWNLO~
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\GetRight\getri
C:\PROGRA~1\GetRight\getri
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hij
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.ex
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.ht
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=14&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=14&q=
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9
Hi! olly7801
First, you're using an outdated version of HijackThis.
Go to the following and download the latest version (1.98.2)
http://www.subratam.org/?page=removal
Also, while at subratam, download the "Start.Chm fix" tool. {Courtesy - Shadowwar}
Install HijackThis to a permanent folder of it's own (something like - C:\HJT\HijackThis.exe) -
do not install it into a temp folder or run it directly from your Desktop.
Make sure the option to show all files and folders, including hidden and system, is enabled.
Make sure all Internet Explorer or browser windows are closed!
Run Startchmfix.exe and extract the folder to your desktop
Open the folder it creates.
Double click on the fix.bat
Only run it once or you will lose the backups, although they shouldn't be needed.
Notepad will open at the end with a message and the bad file listing at the end.
The Tool is designed so that if it is unable to remove the file, it will tell the you to reboot and will remove it on Reboot.
If no files show in the bad file listing then do a Reboot and
do a search for any of these files and DELETE them:
C:\Windows\System32\ C_10230.DLL
C:\WINDOWS\System32\CRTV2_ 32.DLL
C:\WINDOWS\CRTV2_32.DLL
C:\WINDOWS\System32\CRT32_ V2.DLL
C:\WINDOWS\CRT32_V2.DLL
Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
However, if you delete all your cookies - this will affect your stored Internet passwords
and your ability to logon automatically to various sites.
So, consider deleting all your cookies - optional.
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot and rescan with HijackThis and post a new log file here (ver. 1.98.2) -
also, post the contents of the notepad file startchmfix.exe generated.
If you have any questions - let me know.
Good luck!
RF
First, you're using an outdated version of HijackThis.
Go to the following and download the latest version (1.98.2)
http://www.subratam.org/?page=removal
Also, while at subratam, download the "Start.Chm fix" tool. {Courtesy - Shadowwar}
Install HijackThis to a permanent folder of it's own (something like - C:\HJT\HijackThis.exe) -
do not install it into a temp folder or run it directly from your Desktop.
Make sure the option to show all files and folders, including hidden and system, is enabled.
Make sure all Internet Explorer or browser windows are closed!
Run Startchmfix.exe and extract the folder to your desktop
Open the folder it creates.
Double click on the fix.bat
Only run it once or you will lose the backups, although they shouldn't be needed.
Notepad will open at the end with a message and the bad file listing at the end.
The Tool is designed so that if it is unable to remove the file, it will tell the you to reboot and will remove it on Reboot.
If no files show in the bad file listing then do a Reboot and
do a search for any of these files and DELETE them:
C:\Windows\System32\ C_10230.DLL
C:\WINDOWS\System32\CRTV2_
C:\WINDOWS\CRTV2_32.DLL
C:\WINDOWS\System32\CRT32_
C:\WINDOWS\CRT32_V2.DLL
Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
However, if you delete all your cookies - this will affect your stored Internet passwords
and your ability to logon automatically to various sites.
So, consider deleting all your cookies - optional.
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot and rescan with HijackThis and post a new log file here (ver. 1.98.2) -
also, post the contents of the notepad file startchmfix.exe generated.
If you have any questions - let me know.
Good luck!
RF
ASKER
Great,
thanks for that, my homepage is now reset. The startfix had no bad files found.
Here is the logfile from hijackthis which still shows a couple of R1 entries below that look nastily familiar..
Also, how do I un-grey the homepage section in Internet Options. Think I did that with the tweak UI tool! Many thanks so far.
Logfile of HijackThis v1.98.2
Scan saved at 17:46:38, on 03/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.ex e
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\nvsvc3 2.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\rundll 32.exe
C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GetRight\getright.ex e
C:\Program Files\GetRight\getright.ex e
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\PROGRA~1\Altnet\DOWNLO~ 1\asm.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepa d.exe
C:\Program Files\hijackthis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=14&q=%s
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex e
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper. exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil ion\XPHWWB P4\plugin\ bin\PCHBut ton.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.ex e
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload. htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.ht m
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\msjava .dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\msjava .dll (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D 8BC14BA0B8 9} - (no file)
O9 - Extra button: Corel Network monitor worker - {DF62E4BA-2FAA-4189-9D8F-F 372ECB6FD5 B} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {DF62E4BA-2FAA-4189-9D8F-F 372ECB6FD5 B} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D 8BC14BA0B8 9} - (no file) (HKCU)
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9 B663A28DFC B} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
thanks for that, my homepage is now reset. The startfix had no bad files found.
Here is the logfile from hijackthis which still shows a couple of R1 entries below that look nastily familiar..
Also, how do I un-grey the homepage section in Internet Options. Think I did that with the tweak UI tool! Many thanks so far.
Logfile of HijackThis v1.98.2
Scan saved at 17:46:38, on 03/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi
C:\windows\system\hpsysdrv
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.ex
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\nvsvc3
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\rundll
C:\PROGRA~1\HPPAVI~1\Pavil
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GetRight\getright.ex
C:\Program Files\GetRight\getright.ex
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService
C:\PROGRA~1\Altnet\DOWNLO~
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepa
C:\Program Files\hijackthis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavil
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.ex
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.ht
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D
O9 - Extra button: Corel Network monitor worker - {DF62E4BA-2FAA-4189-9D8F-F
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {DF62E4BA-2FAA-4189-9D8F-F
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent, all gone!
Thankyou v much indeed great advice/help!!
Thankyou v much indeed great advice/help!!
Hi!
For future referrence to keep your computer clean.
See this link for general info on security and browser issues:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
One of the experts here has put together a site with a lot of useful info:
This on browser hijacking -
http://www.petenetlive.com/Tech/Browsers/hijack.htm
And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051
Make sure to run Ad-Aware and Spybot S & D often
Thanks and good luck!
RF
For future referrence to keep your computer clean.
See this link for general info on security and browser issues:
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
One of the experts here has put together a site with a lot of useful info:
This on browser hijacking -
http://www.petenetlive.com/Tech/Browsers/hijack.htm
And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051
Make sure to run Ad-Aware and Spybot S & D often
Thanks and good luck!
RF
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=14&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=14&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=14&q=
Also do these
a) Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except anti-virus.Reboot the machine and check if the webpage is still hijacked.
If not, then enable one at a time in the same startup tab and find the application or process that might cause this
at startup
b) Turn off system restore
c) lock the homepage using Spybot
First go to IE --> tools --> Internet options and setup a homepage of your choice
Then what you can do is this.. Install spybot 1.3 : www.softpedia.com/public/cat/10/17/10-17-21.shtml
open it and update it
go to mode --> advanced mode
now on the bottom left navigation pane , you should see tools
click on it and go to "IE tweaks"
and check " lock IE startup page setting against user changes"
Close spybot
Open IE and check how it goes
d) Remove temporary internet files, folders and cookies
Also remove windows Temp files going to
1) Start --> run --> typein: %systemroot%/temp
2) Start --> run --> typein: %temp%