|
| ||
| Re: IE6 has been constantly hijacked by .... Hello. I am new to this site but have learned a lot so far by just reading some of your threads. It all started with being hijacked by coolwebsearch(i think). I have since run cws shredder and have restored the ability to use IE, but I suspect I have more "issues" to deal with on my 4 year old Dell. I therefore downloaded and ran hijack this and the log is posted for any interested expert to troubleshoot, if you could. Thank You in advance. Logfile of HijackThis v1.97.7 Scan saved at 2:40:56 PM, on 4/3/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\QUICKENW\QAGENT.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PALM\HOTSYNC.EXE C:\MSOFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\MRTMNGR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundmaine.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X0FF\X0FF.DLL O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXDL.EXE -silent O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab O16 - DPF: {60B25924-C865-11D2-B0C1-000000000000} (Hotbar Control) - http://hotbar.com/hotbar.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://200.4.115.109/activex/AxisCamControl.ocx O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://johndeere.view22.com/app/View22RTE.cab O16 - DPF: Jacada client full archive 7-1-0 - https://www2.pheaa.org/classes/cst/c...gned-pheaa.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...870.1874189815 O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/in....30/Hiwire.cab O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST2222.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D Player) - http://download.cnn.com/cult3d/cult.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binarie...ML_US_pack.cab O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.com/plugin/axvers...printQuick.cab O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...ia/zoomviewer/ O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB |
| ||
| Re: IE6 has been constantly hijacked by .... Quote:
The first is a dialer. Remove this one manually with HjT, but make no other changes for now: O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx Next, download Ad-aware, making sure that the data-file is up-to-date, but don't run it yet. Also download LSPFix, so you will have it if you need it (more on this later). Another problem is New.net. While they claim that their software is not a hijacker (and have threatened legal action against some sites, read the PDFs), I just say, "If it waddles like a duck, and quacks like a duck..." The first step is to go to the Add/Remove Programs menu, and try to remove it from there. If that fails, or you can't find it, a manual removal might be necessary (this key): O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup Hotbar is another. Ad-Aware should take care of that one. You may have a problem connecting once everything is removed. if so, one of your bits of malware replaced part of your Winsock chain with its own stuff. When you removed it, it may have "broken the chain". Here is the link to LSPFix, which should help. musemaker then responded with: It worked! And here's the process order: * Run LSPfix. * Delete all Dial-up adapters and network protcols. * Delete all Winsock and Winsock2 registry keys. * Under Add/Remove programs uncheck all of the listings under Communications. * Reboot and then add back ALL the Communications items (although netmeeting and chat weren't necessary). It didn't work for me the first time as I have no need for a dial-up adapter, but it is the only way to get Windows to add back winsock2. * Reinstall network protocol settings. These aren't really nasty, just totally worthless resource hogs: O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe Not needed anymore. Never useful to begin with. O4 - HKLM\..\Run: [LoadQM] loadqm.exe Microsoft "trickleware" background downloader. O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE" Absolutely not needed in normal operation. O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp3\winampa.exe No need for this. Can also be disabled from within WinAmp. By the way, make sure that you have the newest version 5.03 O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Useless. Once you are all cleaned up, download and install SpywareBlaster, a utility that blocks malware installation via ActiveX--the main vector that makes Internet Explorer so much more vunerable than Mozilla. That should do it. Re-post when done. |
| ||
| Re: IE6 has been constantly hijacked by .... Thanks Michael. I've followed your suggestions as best i could...heres the latest logfile for hijack this. Logfile of HijackThis v1.97.7 Scan saved at 6:19:30 PM, on 4/3/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\QUICKENW\QAGENT.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\CTFMON.EXE C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PALM\HOTSYNC.EXE C:\WINDOWS\SYSTEM\MRTMNGR.EXE C:\MSOFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundmaine.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X0FF\X0FF.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXDL.EXE -silent O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://200.4.115.109/activex/AxisCamControl.ocx O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://johndeere.view22.com/app/View22RTE.cab O16 - DPF: Jacada client full archive 7-1-0 - https://www2.pheaa.org/classes/cst/c...gned-pheaa.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...870.1874189815 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D Player) - http://download.cnn.com/cult3d/cult.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.com/plugin/axvers...printQuick.cab O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...ia/zoomviewer/ O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB |
| All times are GMT -4. The time now is 10:05 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC