1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please check my log

Discussion in 'Virus & Other Malware Removal' started by funkenbooty, Oct 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    Something keeps trying to hijack my homepage. This log is after running AdAware and SpyBotSD

    Logfile of HijackThis v1.96.4
    Scan saved at 20:00:30, on 10/10/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Browser Hijack Blaster\bhblaster.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\WINDOWS\system32\netdde.exe
    D:\WINDOWS\system32\clipsrv.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Microsoft Office\Office\WINWORD.EXE
    D:\WINDOWS\msagent\AgentSvr.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Paul\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - Global Startup: Shortcut to bhblaster.exe.lnk = D:\Program Files\Browser Hijack Blaster\bhblaster.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Google Search - res://D:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://D:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://D:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://D:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/13135f735c221cfb5403/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.172.226.178/axiscam/dll/AxisCamControl.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7903009259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{177A9559-35A9-4822-9BA2-9EE3CE1BBE3E}: NameServer = 216.162.192.12 216.162.192.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{177A9559-35A9-4822-9BA2-9EE3CE1BBE3E}: NameServer = 216.162.192.12 216.162.192.4
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  3. man1ac

    man1ac

    Joined:
    Oct 7, 2003
    Messages:
    18
  4. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    Strange. I never had any problems until after I installed Browser Hijack Blaster. The same day an alert pops up saying my homepage was being jacked but when I click to save my page the same warning keeps popping up repeatedly until I just close Browser Hijack Blaster and reset my homepage.
     
  5. man1ac

    man1ac

    Joined:
    Oct 7, 2003
    Messages:
    18
    according to http://www.wilderssecurity.net/bhblaster.html
    " If a spyware application tries to install its BHO at boot-up, and change settings at boot-up, before Browser Hijack Blaster is activated, you will be notified and (like the situation above) given the option to keep the change or to revert to your previous settings"
    i guess the popup alert comes from browserhijackblaster?
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You can update the Hijack This version you have.

    Open Hijack This and click on the "Config" button in the lower right corner then click on the "Misc tools" button then click on "Check for update online" and dowload the update and post the log from that.
     
  7. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    Again tonight something caused my homepage to be set to blank. Could not reset and could not open IE again after closing all open browsers, finally had to reboot . Here is the latest log maybe someone can see something in here before I run AdAware and SpyBotSD. I never had this problem until I started using Browser Hijack Blaster. I am beginning to think that maybe I'd be better off without it!
    Logfile of HijackThis v1.97.3
    Scan saved at 19:45:30, on 10/15/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\Program Files\Browser Hijack Blaster\bhblaster.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    D:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Paul\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=qkclk
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - Global Startup: Shortcut to bhblaster.exe.lnk = D:\Program Files\Browser Hijack Blaster\bhblaster.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Google Search - res://D:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://D:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://D:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://D:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1C44E9F2-4B84-11D4-9B88-009027889212} (Ontrack ASP Web Tools) - http://askdrtech.com/ontrack/bin/nppcfix.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/13135f735c221cfb5403/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.172.226.178/axiscam/dll/AxisCamControl.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7903009259
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{177A9559-35A9-4822-9BA2-9EE3CE1BBE3E}: NameServer = 216.162.192.12 216.162.192.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{177A9559-35A9-4822-9BA2-9EE3CE1BBE3E}: NameServer = 216.162.192.12 216.162.192.4
     
  8. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    can someone please check this latest log?:D
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    This is the only one i see that needs to go:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>

    Try this open spybot and click on "Immunize" and at the bottom of that page under "Recommened miscellaneous protections"

    Put a check by " Lock IE start page against user changes"
    (current user)

    I would also recommend that you install the Immunizer and bad download blocker found on that same page.

    Note: Spybot must be open in Advanced Mode to see these features. If you don't see them go to Start > All Programs > Spybot Search & Destroy > Spybot S&D (Advanced Mode) and open it that way.
     
  10. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    Thanks! Did what you suggested. Is having Browser Hijack Blaster really needed do you think?
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome.

    I don't know much about Browser Hijack Blaster. I don't use it.

    I use SpywareBlaster and SpywareGuard.
     
  12. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    I use the one within SpywareGuard myself ...

    From the SpywareGuard site:

    "It is recommended that potential users of Browser Hijack Blaster look at SpywareGuard instead. SpywareGuard's Browser Hijack Protection is very similar to that of Browser Hijack Blaster, but is much more advanced and will provide more protection. (SpywareGuard is also freeware.) "

    http://www.wilderssecurity.net/bhblaster.html
     
  13. funkenbooty

    funkenbooty Thread Starter

    Joined:
    Jul 15, 2003
    Messages:
    235
    thanks again for the help and the website tip
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171119

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice