hijacked need help plz

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Arithon

Thread Starter
Joined
Feb 8, 2005
Messages
1
Hi My browzer was recently hijacked and redirected to coolweb so i did scan with adware, spybot, spysweeper, etc. managed to stop the redirecting to coolweb but still cannot set hompage it keeps on saying default or sumthin.

my hijack log is as follows
help much appreciated
thanks
Logfile of HijackThis v1.99.0
Scan saved at 3:11:44 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ccxgui\ccxStream.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ccxgui\ccxStream.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON32] C:\WINDOWS\system32\CTFMON32.EXE
O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE
O4 - Startup: ccx.lnk = C:\Program Files\ccxgui\ccx.bat
O4 - Startup: ccx1.lnk = C:\Program Files\ccxgui\ccx1.bat
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A9C6419-A89D-49F5-A0D6-FAA896740C63}: NameServer = 192.189.54.26 192.189.54.37
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
 
Joined
Sep 16, 2002
Messages
1,157
In HJT, from the Scan window, click on "Config"
(or from the intro screen, click "misc tools" button, then "Main")
Type in your desired homepage in the "Default Start Page" field.

Go back to the Scan window (c/o "Back" button)
Checkmark these entries and click "Fix Checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE

You can also checkmark this entry. Although it's a legitimate Creative SB entry (not malware), it's quite useless:
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

Download and run CWShredder (free standalone version)
Save it to a permanent location
open it and click the "Fix" button.

Important: Make sure all browser/email/explorer windows are closed before fixing with HJT and CWShredder. You should download CWShredder first, close all windows, do the HJT fixes, then run CWShredder.

Locate and delete:
C:\WINDOWS\system32\CSRSSU.EXE

Note: you may need to reboot (preferably into safe mode) to delete csrssu.exe
and if you haven't done so already, you may need to checkmark "show hidden files" and uncheck "hide extensions for known filetypes" in: Control Panel > Folder Options > View tab.

I also recommend that you checkmark "enable permanent blocking..." in SpybotSD > Immunize
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top