1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Webpage redirect-hijack this log

Discussion in 'Virus & Other Malware Removal' started by bamajeep, Feb 7, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. bamajeep

    bamajeep Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    2
    Hi,
    My son has gotten an interest about poker, and has done some searching.

    Now whenever he clicks on a link with the word "poker" in it, or searches for anything with the word "poker" in it, it goes straight to www.pokerroom.com.

    Otherwise, all browser functions work fine. Have already run adaware SE and Spybot.

    Hijack this filelog:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:58:15 PM, on 2/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\royalvegasMPP\MPPoker.exe
    C:\Documents and Settings\Matt Everett\Desktop\Hijack this\HijackThis.exe

    O2 - BHO: (no name) - {78A0A7B9-58E9-5D81-FB6E-F379D71816BC} - C:\WINDOWS\System32\nepreqhc.dll
    O2 - BHO: (no name) - {EF24C0D2-F8FD-98D9-7EB9-286FBE09D055} - C:\WINDOWS\System32\lgatbsxr.dll
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Startup: DLHelperEXE.exe
    O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
    O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.belk.com/belkwebmail1.belkinc.com/iNotes.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81DE524A-AD47-4DD1-ADD5-8C1A680CAADE}: NameServer = 64.136.20.121 64.136.28.121



    What can I do? Thanks in advance for your help!!
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  3. bamajeep

    bamajeep Thread Starter

    Joined:
    Feb 7, 2005
    Messages:
    2
    I got the newest version. Here is the updated log:

    Logfile of HijackThis v1.99.0
    Scan saved at 7:48:12 AM, on 2/8/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Matt Everett\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    O2 - BHO: (no name) - {78A0A7B9-58E9-5D81-FB6E-F379D71816BC} - C:\WINDOWS\System32\nepreqhc.dll
    O2 - BHO: (no name) - {EF24C0D2-F8FD-98D9-7EB9-286FBE09D055} - C:\WINDOWS\System32\lgatbsxr.dll
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Startup: DLHelperEXE.exe
    O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
    O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.belk.com/belkwebmail1.belkinc.com/iNotes.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81DE524A-AD47-4DD1-ADD5-8C1A680CAADE}: NameServer = 64.136.20.121 64.136.28.121
    O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: fpdvxcotptxn - Unknown - C:\WINDOWS\System32\msupd5.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    Thanks again for your help!!
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,342
    First Name:
    Derek
    Oh that is a problem one there, but it isn't showing all the entries we normally see

    please do this

    first make a folder for HJT as we can't fix these pests with HJT runninmg from the temp internet files folder

    make a folder C:\HJT and unzip HJT to that folder

    then reboot and then run a new HJt scan and post the log

    there might well be additional entries if so don't fix them until we have seen the log
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Webpage redirect hijack
  1. OncomingStorm
    Replies:
    3
    Views:
    132
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327974

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice