1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser Hijacking

Discussion in 'Virus & Other Malware Removal' started by ProfessorBob, Sep 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hi & hope you can help.
    My grandkids downloaded Kazaa and a few other programs during their visit :eek: . I have been busy trying to clean out all unwanted applications & all the ‘ScumWare’ that came along for the ride. Unfortunately, my Home Page setting (Use Blank) still gets hijacked periodically to MSN.com. Here is a recap of what I’ve done so far:
    Downloaded & installed MS Service Pack 2, ran msconfig & selected Normal Startup. Rebooted & set Restore Point. Set Folder Options to show hidden files and folders. Ran CoolWebSearch Smartkiller (not found), CWShredder (cleaned infections found), Spybot S & D (fixed all), Ad-aware (quarantined all) and Bazooka Scanner (will follow advice later as to going into Registry Editor to correct). Prior to running the above, I checked for all available updates. I also downloaded, installed & ran Lavasoft’s VX2 Cleaner plug-in (system clean) as well as all other plug-ins. I’ve downloaded, installed & updated SpyBlaster. I’ve enabled IE & Restricted Sites protection and disabled the IE Home Page setting
    I then went into the Add/Remove Programs function in Control Panel and removed PGate Basic & a few other unwanted applications but was unable to delete Kazaa v. 2.1.1 or IMBUM. Nothing happens when I click remove IMBUM and I get the following error message trying to delete Kazaa, ‘Error loading C:\WINNT\System32\cd_clint.dll. The specified module could not be found.’ IMBUM has me stumped as I can’t find anything called that on my hard drive. I think it might have had something to do with NetPals or Lycos or 1 of the other Search Bars I was able to get rid of. I have downloaded ‘kazaabegone’ but have not run it as I’m hoping there might be an easier way (heard it sometimes can mess up your Internet connection but have already downloaded LSPFix if that’s the way to go). Here is a copy of my latest HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:43:28 PM, on 9/7/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wscntfy.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\DESKTO~1\datray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\aolwbspd.exe
    C:\Program Files\Hijack This\hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRA~1\DESKTO~1\datray.exe" -S
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://home.ingdirect.com
    O15 - Trusted Zone: http://security.symantec.com
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23690f731465b4991103/netzip/RdxIE601.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B228C5D8-679C-4985-AD4B-ACDA30A1A1E8}: NameServer = 205.188.146.146

    I’ve read a bit on this (and HiJack This) and I’m really worried about the last item (017). I’m also concerned about a few of the 04 & 016 items that I do not recognize. If anyone can help me (I know this is a minor problem) but it would be majorly appreciated. And if anyone can direct me to a site where I can learn more to help others as well as myself, that would be greatly appreciated too.
    Thanks in advance for any help in this. ProfessorBob
     
  2. espressoguy

    espressoguy

    Joined:
    Jul 29, 2003
    Messages:
    1,119
    Here is what I found out about entry 017
    Server Used: [ whois.arin.net ]

    205.188.146.146 = [ VTOT.proxy.aol.com ]

    OrgName: America Online Inc
    OrgID: AMERIC-59
    Address: 22080 Pacific Blvd
    City: Sterling
    StateProv: VA
    PostalCode: 20166
    Country: US
    NetRange: 205.188.0.0 - 205.188.255.255
    CIDR: 205.188.0.0/16
    NetName: AOL-DTC
    NetHandle: NET-205-188-0-0-1
    Parent: NET-205-0-0-0-0
    NetType: Direct Assignment
    NameServer: DNS-01.NS.AOL.COM
    NameServer: DNS-02.NS.AOL.COM
    Comment:
    RegDate: 1998-04-18
    Updated: 1998-04-27
    TechHandle: AOL-NOC-ARIN
    TechName: America Online Inc.
    TechPhone: 1-703-265-4670
    TechEmail: [email protected]

    It belongs to AOL. If this is your ISP then leave it. Keep watching the posts and someone will help with about blank.
     
  3. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Any clue what the line below is?

    O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe


    You have an outdated version of HiJackThis. (It's currently at v1.98.2)

    To update HiJackThis:

    Open the program. click "Config..." --> "Misc. Tools" --> "Check for Update Online".

    Or:

    Please go to the link below and download HiJackThis:

    ***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

    http://www.majorgeeks.com/download3155.html

    Under "Official Downloads" HiJackThis. It's the 2nd one down.

    Download and unzip to a permanent folder of your own creation.

    Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

    Save it to your permanent HiJackThis folder (or floppy disk if necessary).

    The log will open in Notepad. Click "Edit" then "Select All".

    Copy and paste the log back to this thread.

    Alternate download links:

    http://www.spychecker.com/program/hijackthis.html

    http://www.spywareinfo.com/~merijn/downloads.html
     
  4. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hello again,
    Thanks for the fast reply. I double checked and found no critical updates. I downloaded and ran the latest version of HiJack This. Here is the latest log:
    Logfile of HijackThis v1.98.2
    Scan saved at 11:00:19 AM, on 9/8/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wscntfy.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\DESKTO~1\datray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\aolwbspd.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRA~1\DESKTO~1\datray.exe" -S
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://home.ingdirect.com
    O15 - Trusted Zone: http://security.symantec.com
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23690f731465b4991103/netzip/RdxIE601.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B228C5D8-679C-4985-AD4B-ACDA30A1A1E8}: NameServer = 205.188.146.146

    Thanks again for your help. ProfessorBob
     
  5. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Before we start, let's disable your System Restore. After the infection's been cleaned re-enable system restore.


    Disabling System Restore in Windows XP Disable System Restore in Windows ME

    IF, for some reason, you lose the ability to use IE or lose your internet connection...open HJT-->"Config"-->"Backups"-->"Restore".


    Open HiJackThis. Click "Scan". Put a checkmark next to these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23690f731465b4...ip/RdxIE601.cab

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download...ller/dwnldr.cab

    Did you add the lines below to your trusted zone?

    O15 - Trusted Zone: http://home.ingdirect.com
    O15 - Trusted Zone: http://security.symantec.com



    Close ALL browser windows (except HiJackThis ;) ) and click "Fix checked."



    Re-start your computer and post another HJT log.
     
  6. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hi again!
    Sorry for the delay in replying but I wanted to print out the directions you sent and was having a problem tying into the printer on this network. To answer your question, yes I added those 2 items to my trusted zone. In fact, you'll notice a 3rd item in my trusted zone in the new HiJack This log below. I run a higher security level than the default settings but lower it somewhat for these trusted sites. I ran HiJack This and fixed all the checked items you sent me. As you can see, I did not lose my Internet connection. {;›)
    I'm still showing IMBUM and Kazaa in my Add/Remove Programs that I still can't remove. I also noticed Win32 Bl Application in that listing. If memory serves me right, I should remove that as well. I have not turned on System Restore yet. Should I now?
    Here is my latest HJT log:
    Logfile of HijackThis v1.98.2
    Scan saved at 11:23:06 AM, on 9/12/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\PROGRA~1\DESKTO~1\datray.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hijack This\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRA~1\DESKTO~1\datray.exe" -S
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.colonialbank.com
    O15 - Trusted Zone: http://home.ingdirect.com
    O15 - Trusted Zone: http://security.symantec.com
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


    Thanks once more for all your help. ProfessorBob
     
  7. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
  8. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hi again FinestRanger,
    I downloaded and ran KazaaBegone and that eliminated it and all associated files after rebooting except for the shortcut in Start Programs. That I sent to the Recycle Bin and emptied it out. Unfortunately. Kazaa, IMBUM and Win32 Bl application are still listed in Add/Remove Programs and will not let me remove them. I get the same error message with Kazaa, nothing still happens with IMBUM and I get the following error message when trying to remove Win32 Bl application: Advanced INF Install
    Error: could not locate INF file ‘C:\WINNT\INF\payload.inf’.
    I checked for updates and ran Spybot S&D, Ad-aware, Bazooka, SpywareBlaster and Norton AntiVirus. Bazooka found registry keys relating to PromulGate and Starblaster. The sites it sent me to showed me which keys to locate and delete. Should I, while in Registry Editor deleting these keys, ask it to find all items named IMBUM and Kazaa and delete these?
    The worst problem is I’m still being hijacked. I brought up IE and my home page was again changed from about blank to MSN.com. {:◦( This doesn't happen all the time. I'm going to try keeping a log of what i'm doing and sites I visit to see if that can give me a clue as to what's causing it.
    I don’t mind going into the Registry Editor if need be. I’ve backed it up before and can do it again if necessary. Also, I still have not turned on System Restore. Here is the latest HJT log:
    Logfile of HijackThis v1.98.2
    Scan saved at 10:05:07 AM, on 9/13/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\DESKTO~1\datray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\aolwbspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hijack This\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorkFlo] D:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRA~1\DESKTO~1\datray.exe" -S
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.colonialbank.com
    O15 - Trusted Zone: http://home.ingdirect.com
    O15 - Trusted Zone: http://security.symantec.com
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B228C5D8-679C-4985-AD4B-ACDA30A1A1E8}: NameServer = 205.188.146.146

    Thanks again for all your help. ProfessorBob
     
  9. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    As long as you check each entry it finds. If it's associated with another program, I'd err on the side of caution and leave it alone.

    IE's been known to revert homepages to msn.com, as it's the Microsoft homepage. It's not being hijacked.
     
  10. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hi again,
    I'll be very cautious deleting any entries in the Registry. I plan on backing up the Registry Editor before making any changes. I assume no other problems were found in the last HJT log and I can now turn System Restore back on.
    I think I found my problem as to IE home page. I remembered it occurred after running AD-aware. I reran it and carefully examined the item it pointed out and it was showing a manual change of home page being possible hijack. Apparently I've been automatically checking it and it then takes 'about blank' out as my home page. MSN must come in as default as you mentioned. RED FACED here.
    Thanks again for all your help. Hopefully someday I can learn enough help others as well you do. ProfessorBob
     
  11. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Thanks for telling me the solution to your browser defaulting to msn. That'll be something I'll remember, about Ad-aware, for the next person. Thanks.

    You're welcome for the help we've provided. Happy surfing. ;)
     
  12. ProfessorBob

    ProfessorBob Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    8
    Hello and apologies!
    Sorry for the late reply but was busy moving into our new home ... remembering how much I hate this (moving that is). I'm assuming HJT log was clean and it's OK to enable System Restore which I'll do shortly. Glad I was able to help in some small measure and hope to learn more to someday help others like you fine people. Thanks again. I may be back soon as I now have to set up my wife's computer and she's complaining about some vague problem she's experiencing.
    Happy surfing to you too! ProfessorBob
     
  13. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Yes, go ahead and re-enable system restore. Your HijackThis log is clean.

    Remember to start a separate thread for your wife's computer. (y)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271457

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice