1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE Hijacking

Discussion in 'Virus & Other Malware Removal' started by b1ggles, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. b1ggles

    b1ggles Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    3
    Hi to all I am trying to fix a friends computer. It had about 30 viruses and heaps of spyware on it when he asked for my help.
    I have cleared all of the above but can not stop the hijacking of IE it keeps going to search miracle and when it does we seem to loose the internet although the connection is still alive.

    He is running XP home and I have tried putting service pack 2 on but this has not helped, running AVG Free ver 7, adaware SE, Pest Patrol, and zonealarm to try to combat the problems, below is the Hijack this log file any help in fixing the problems would be greatly appreciated.

    He did originally have Nortons Anti Virus on the system but it's not there any more I think he just deleted it as I have found that navprotect.exe is still being loaded, I have done a selected startup to try and shut down a few things at startup including navprotect but they seem to keep coming back!
    any help in removing the traces of nortons would be good aswell please.


    Logfile of HijackThis v1.99.0
    Scan saved at 5:37:40 PM, on 2/15/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\winasp.exe
    C:\WINDOWS\clfmon.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\system32\S3tray2.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\spoolvs.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\navprotect.exe
    C:\WINDOWS\system32\navprotect.exe
    C:\WINDOWS\system32\navprotect.exe
    C:\temp\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [start extracting] spoolvs.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
    O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteukn32.exe
    O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\RunServices: [start extracting] spoolvs.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [start extracting] spoolvs.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKCU\..\RunServices: [start extracting] spoolvs.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102585563529
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe
    O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



    Cheers b1ggles
     
  2. zupadupa

    zupadupa

    Joined:
    Feb 9, 2005
    Messages:
    64
    Is his IE patched with updates? You might need to uninstall and reinstall IE. Before doing that, clear the cookies, temp internet files and history.

    check out this site for process that can be or cannot be terminated:

    http://www.processlibrary.com/
     
  3. BLADE4356

    BLADE4356

    Joined:
    Feb 24, 2004
    Messages:
    79
    you installed sp2 before you cleaned your system out . problems , big time.....
     
  4. BLADE4356

    BLADE4356

    Joined:
    Feb 24, 2004
    Messages:
    79
    run hijack again and put a check by these ....
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    Nasty This entry should be fixed by HijackThis
     
  5. BLADE4356

    BLADE4356

    Joined:
    Feb 24, 2004
    Messages:
    79
    sorry , i forgot to tell you , go into your add/delete and remove sp2 and go thru the steps on the previous post again. After you do that , go into your system restore and see if you can pull up an earlier date before you started having problems.
     
  6. b1ggles

    b1ggles Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    3
    Thanks Blade4356 will delete the entries you have mentioned. cannot do a restore because had to delete restore files to nuke 2 of the viruses and set a new restore point just before SP2 was installed.

    Cheers b1ggles
     
  7. b1ggles

    b1ggles Thread Starter

    Joined:
    Feb 15, 2005
    Messages:
    3
    Hi have removed enties that you suggested but still search miracle is running have posted new hijack this log. What is the entry about extracting (spoolvs.exe) all about sounds a bit funny!!

    Logfile of HijackThis v1.99.0
    Scan saved at 4:13:45 PM, on 2/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\navprotect.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\spoolvs.exe
    C:\WINDOWS\system32\winasp.exe
    C:\WINDOWS\clfmon.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\system32\S3tray2.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\navprotect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\navprotect.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\temp\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [start extracting] spoolvs.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
    O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteukn32.exe
    O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\RunServices: [start extracting] spoolvs.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [start extracting] spoolvs.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKCU\..\RunServices: [start extracting] spoolvs.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102585563529
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe
    O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Cheers b1ggles
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/331157

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice