|
| ||
| Re: IE6 has been constantly hijacked by .... hi all i read your advise on these pages and you guys are doing a great service glad to see theres still decent peeps out there. Enough with the creeping.LOL Anyway i came across this site as im having probs with ie6 being hijacked im using the usual precautions spybot,zonealarm pro,norton antivirus 2004. but i have been recently plagued with backweb i think it crept in on a keygen and NAV didnt spot it or something. My immune on spybot S&D is up to date. But i have this naffing searchsprint.com toolbar i disabled the toolbar but know when i browse the web i get a bar down the left hand page simmiliar to that of the history bar or favorites bar appear in my browser then popups started appearing now i have this p4mx4?? everytime i boot up i get an error msg saying "unable to load p4mx4 please specify the program exists" or words to that affect i used hijackthis.exe. but im not as wise as you boys so i dont know if ive sorted it or not i still have p4mx4 as i dont know what it is so i havent removed it.Please advise I can see you guys are busy so please help when you can heres the results of hijackthis.exe Logfile of HijackThis v1.97.7 Scan saved at 2:47:27 PM, on 1/26/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\WINDOWS\rgvzyahl.exe C:\WINDOWS\fkcwyumi.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F1 - win.ini: run=c:\windows\system32\p4mx4.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da9...p/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...810.4491666667 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312 |
| ||
| Re: IE6 has been constantly hijacked by .... sorry i didnt explain properly that searchsprint.com appeared by magic thanks Nigel |
| ||
| Re: IE6 has been constantly hijacked by .... Oh lol and just in caes heres the results from cwshredder HTTP://www.merijn.org/files/cwshredder thanks again nigel |
| ||
| Re: IE6 has been constantly hijacked by .... <----twat heres the results CWShredder v1.46.6 scan only report Windows xp (5.01.2600 sp1) windows dir:c:\windows windows system dir:c:\windows\system32 appdata folder: c:\documents and settings\nigel\application data username: nigel found hosts file:c:\WINDOWS\system32\drivers\etc\hosts (734 bytes,A) shell registry value: HKLM\..\Winlogon(shell)explorer.exe userlnet registry value: HKLM\..\Winlogon (userlnet) c:\windows\system32userinit.exe, foundwin.ini file: c:\windows\win.ini(1451 bytes,A) found system.ini file: c:\windows\system.ini (375 bytes,A) -END OF REPORT- Thanks Nigel |
| ||
| Re: IE6 has been constantly hijacked by .... i know im probably becoming a pain in the ass but im trying to give you all revelant info to save time like. The actual p4mx4 error goes like this windows cannot find 'c:\windows\system32\p4mx4.exe'. make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search. i clicked ok on the error box to be presented with this unsightly error box could not load or run 'c:\windows\system32\p4mx4.exe' specified in the registry. make sure the file exists on your computer or remove the registry i looked forward to a reply Nigel |
| ||
| Re: IE6 has been constantly hijacked by .... Quote:
Also install and run Spybot and Ad-aware .someone who reads hijack log files will be around soon |
| ||
| Re: IE6 has been constantly hijacked by .... Quote:
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F1 - win.ini: run=c:\windows\system32\p4mx4.exe O2 - BHO: (no name) - {23508026-B233-481F-8CA0-C92E58BCCF52} - C:\WINDOWS\jwtdplma.dll O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} - C:\WINDOWS\rxshnczk.dll O4 - HKLM\..\Run: [P4mx4] c:\windows\system32\p4mx4.exe O4 - HKLM\..\Run: [eqmdrprp] C:\WINDOWS\rgvzyahl.exe O4 - HKLM\..\Run: [dyellzii] C:\WINDOWS\fkcwyumi.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/284f377e3972da...ip/RdxIE601.cab Reboot to safe mode (tap F8 key at boot) and delete: c:\windows\system32\p4mx4.exe <-- file ...See here: http://www.f-secure.com/v-descs/syscenter.shtml C:\WINDOWS\rgvzyahl.exe <-- file C:\WINDOWS\fkcwyumi.exe <-- file NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show: How to Show Hidden/System Files http://www.xtra.co.nz/help/0,,4155-1916458,00.html Then: Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Reboot. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. Post a fresh HijackThis log now please. |
| ||
| Re: IE6 has been constantly hijacked by .... cheers caperboy ive done what you said felt quite urgent. ran cwshredder properly and it said i was clean. so heres the new hijackthis log cheers nigel Logfile of HijackThis v1.97.7 Scan saved at 8:29:54 PM, on 1/26/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe C:\WINDOWS\System32\ctfmon.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sidesearching.com/xml3.ph...river%2Bupdate R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.0.190.0\QOELoader.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...810.4491666667 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312 this log |
| ||
| Re: IE6 has been constantly hijacked by .... im not getting the p4mx4 error anymore and also it was gone staight after and fix the hijackthis log when i searched for it in safe mode i nor windows search could find it nigel |
| ||
| Re: IE6 has been constantly hijacked by .... Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sidesearching.com/xml3.p...driver%2Bupdate Reboot. Also have a read here, So how did I get infected in the first place? http://www.computercops.biz/postt7736.html |
| All times are GMT -4. The time now is 8:46 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC