1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijacked need help plz

Discussion in 'Virus & Other Malware Removal' started by Arithon, Feb 8, 2005.

Thread Status:
Not open for further replies.
  1. Arithon

    Arithon Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    1
    Hi My browzer was recently hijacked and redirected to coolweb so i did scan with adware, spybot, spysweeper, etc. managed to stop the redirecting to coolweb but still cannot set hompage it keeps on saying default or sumthin.

    my hijack log is as follows
    help much appreciated
    thanks
    Logfile of HijackThis v1.99.0
    Scan saved at 3:11:44 PM, on 2/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ccxgui\ccXservice.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
    C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\ccxgui\ccxStream.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\ccxgui\ccxStream.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON32] C:\WINDOWS\system32\CTFMON32.EXE
    O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE
    O4 - Startup: ccx.lnk = C:\Program Files\ccxgui\ccx.bat
    O4 - Startup: ccx1.lnk = C:\Program Files\ccxgui\ccx1.bat
    O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9C6419-A89D-49F5-A0D6-FAA896740C63}: NameServer = 192.189.54.26 192.189.54.37
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
     
  2. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    In HJT, from the Scan window, click on "Config"
    (or from the intro screen, click "misc tools" button, then "Main")
    Type in your desired homepage in the "Default Start Page" field.

    Go back to the Scan window (c/o "Back" button)
    Checkmark these entries and click "Fix Checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE

    You can also checkmark this entry. Although it's a legitimate Creative SB entry (not malware), it's quite useless:
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    Download and run CWShredder (free standalone version)
    Save it to a permanent location
    open it and click the "Fix" button.

    Important: Make sure all browser/email/explorer windows are closed before fixing with HJT and CWShredder. You should download CWShredder first, close all windows, do the HJT fixes, then run CWShredder.

    Locate and delete:
    C:\WINDOWS\system32\CSRSSU.EXE

    Note: you may need to reboot (preferably into safe mode) to delete csrssu.exe
    and if you haven't done so already, you may need to checkmark "show hidden files" and uncheck "hide extensions for known filetypes" in: Control Panel > Folder Options > View tab.

    I also recommend that you checkmark "enable permanent blocking..." in SpybotSD > Immunize
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/328009

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice