Internet Explorer hijacked

Question

ufsguy 0 Newbie Poster

19 Years Ago

Folks, i'm about to through my computer out of the window (not microsoft windo)

My Internet Explorer has been hijacked and the spyware (or whatever it is) is changing my home page and add a bunch of websites to my favorate.

Needless to say that i've tried a bunch of things, from a manual change to using Adaware, Spy Bot, Hijackthis and killbox to no avail.

From time to time i get a small pop up window that says "Already running!!!) and when i reboot my system i get first a message that says the system can't find the file, the name of the file is of 3 charachters, p, then a box and then an "a" that looks like "at" of the email addresses or something close to that.

When i hit ok twice it comes up saying that it can't find this file "haxhowmkjxkj.ex".

Spy Bot and Ad aware always find a bunch of stuff and it cleans it but the problem is not corrected.

Hijackthis removed the imposed home page and Spy Bot prevented it from comming back for a few minutes but i'm back to square one and in all cases non of them were able to remove the web sites imposed on my favorates.

Can anyone here help???!!!

windows-virus

4 Contributors
16 Replies
188 Views
4 Days Discussion Span
Latest Post 19 Years Ago Latest Post by Yzk

All 16 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Try the removal in safe mode & if no luck, post you're HJT log back here.

Yzk 70 Posting Whiz

19 Years Ago

Now That Is A Log! ;)
I'm leaving this one to Crunchie though

crunchie 990 Most Valuable Poster

19 Years Ago

Thanx Yzk :)

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

caperjack 875 I hate 20 Questions

19 Years Ago

A Format is the quickest way sometimes ,and will leave you fresh and clean !!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ufsguy 0 Newbie Poster · Answer 1 · 2004-06-18T08:34:16+00:00

Ok here is what i did:

1: I updated both Adaware and Spy Bot

2: i removed the internet connection and rebooted my pc in the safe mode
3: I scanned it with Adaware with all the necessary setting that other folks mentioned in this forum
4: I rebooted again into the safe mode and scanned it woth spy bot.
5: I rebooted again into the safe mode
6: problem persisted but when i used Hijack this my home page was ok and so as the favorates.
7: I rebooted into the safe mode twice and things were ok.
8: I rebooted into the normal mode and the problem came back even without connecting to the internet

here is the log of Hijack this

Logfile of HijackThis v1.97.7
Scan saved at 8:22:46 PM, on 17/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\grviewex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\deinst_qfe002.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\fset.exe
C:\Documents and Settings\Ashraf\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
F0 - system.ini: Shell=explorer.exe fset.exe
F1 - win.ini: run=fset.exe
F2 - REG:system.ini: Shell=explorer.exe fset.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - ¦ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinLoader] fset.exe
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Grviewex] c:\windows\system32\grviewex.exe
O4 - HKLM\..\Run: [EHVYMUYU] c:\windows\system32\ehvymuyu.exe /install
O4 - HKLM\..\Run: [BTYURGNJ] c:\windows\system32\btyurgnj.exe /install
O4 - HKLM\..\Run: [NJAZZGSG] c:\windows\system32\njazzgsg.exe /install
O4 - HKLM\..\Run: [FEJONDWY] c:\windows\system32\fejondwy.exe /install
O4 - HKLM\..\Run: [RXOONTPF] c:\windows\system32\rxoontpf.exe /install
O4 - HKLM\..\Run: [TTDSPXGU] c:\windows\system32\ttdspxgu.exe /install
O4 - HKLM\..\Run: [TGJGESBR] c:\windows\system32\tgjgesbr.exe /install
O4 - HKLM\..\Run: [PGEFPVOK] c:\windows\system32\pgefpvok.exe /install
O4 - HKLM\..\Run: [JZNGYSJF] c:\windows\system32\jzngysjf.exe /install
O4 - HKLM\..\Run: [GERCZRRO] c:\windows\system32\gerczrro.exe /install
O4 - HKLM\..\Run: [PCRUHJIG] c:\windows\system32\pcruhjig.exe /install
O4 - HKLM\..\Run: [OBJGRGLS] c:\windows\system32\objgrgls.exe /install
O4 - HKLM\..\Run: [JDSHMOFL] c:\windows\system32\jdshmofl.exe /install
O4 - HKLM\..\Run: [QFAEVJZA] c:\windows\system32\qfaevjza.exe /install
O4 - HKLM\..\Run: [NEACDTZP] c:\windows\system32\neacdtzp.exe /install
O4 - HKLM\..\Run: [TVXMTRPI] c:\windows\system32\tvxmtrpi.exe /install
O4 - HKLM\..\Run: [WDUYLXWA] c:\windows\system32\wduylxwa.exe /install
O4 - HKLM\..\Run: [XSNZYNUS] c:\windows\system32\xsnzynus.exe /install
O4 - HKLM\..\Run: [PLXYXGUO] c:\windows\system32\plxyxguo.exe /install
O4 - HKLM\..\Run: [CTQMITJW] c:\windows\system32\ctqmitjw.exe /install
O4 - HKLM\..\Run: [SARJFQWD] c:\windows\system32\sarjfqwd.exe /install
O4 - HKLM\..\Run: [FODJZLXA] c:\windows\system32\fodjzlxa.exe /install
O4 - HKLM\..\Run: [EZSSHMES] c:\windows\system32\ezsshmes.exe /install
O4 - HKLM\..\Run: [SJZQTYJT] c:\windows\system32\sjzqtyjt.exe /install
O4 - HKLM\..\Run: [WLCRHHCN] c:\windows\system32\wlcrhhcn.exe /install
O4 - HKLM\..\Run: [UQNPBBRB] c:\windows\system32\uqnpbbrb.exe /install
O4 - HKLM\..\Run: [HUEWJRNB] c:\windows\system32\huewjrnb.exe /install
O4 - HKLM\..\Run: [HXIFAOIL] c:\windows\system32\hxifaoil.exe /install
O4 - HKLM\..\Run: [HRUXFUQK] c:\windows\system32\hruxfuqk.exe /install
O4 - HKLM\..\Run: [GSNPIZTH] c:\windows\system32\gsnpizth.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [XrxMastRun] D:\pwsgi\instNT\MastNT.EXE /Continue
O4 - HKLM\..\Run: [XACYAPDT] c:\windows\system32\xacyapdt.exe /install
O4 - HKLM\..\RunServices: [WinLoader] fset.exe
O4 - HKLM\..\RunServices: [] fset.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Ashraf\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PlaceWare Console: PWS-CC2K-4-1-1-0-3-l9l8n6 - http://www48.placeware.com/etc/pwc/sigg/lib/cc-full.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - https://www.xreg.net/ActiveX/AXClientUtil.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1813d2d803eb65205922/netzip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v44/bjattack/bjattack.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v40/wordcube/wordcube.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.3439699074
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/sonypictures/meninblackII/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DD1FA138-39F5-4DF5-BD04-6D814AD0C7D9} (IPhone Class) - http://www.rhinobell.com/PC2Phone.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

I'd really appreciate it if someone has something new to advise me with

ufsguy 0 Newbie Poster · Answer 2 · 2004-06-19T04:18:02+00:00

Now i've done all i could see here of advises including using CWShredder and all of them seem to be able to find and remove the cool web search but it keeps comming back even without the internet connection.

I have all the updates of windows XP now (downloaded them after i got infected)

One more thing, all those programs (Spy Bot, Adaware, Hijack this, CWShredder,...etc) seem to be able to remove it "perminently" when i'm in the safe mode even if i connect to the web or rebooted 10 times it is only when i log to the normal mode of XP that it comes back even without being connected to the web.

I'm about to give up and format my machine (somehow i lost my system restor points and now it would let me restore only back 3 days ago when i was in the middle of this problem.

Is this a hopeless case???!!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2004-06-19T13:02:11+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

A new log would be good too :)

ufsguy 0 Newbie Poster · Answer 4 · 2004-06-19T18:12:17+00:00

Here is the latest log and as i said all the programs that has been mentioned in this forum (even other messages) where able to find "Cool Web Search" and remove it but it keeps comming backunless i'm in the safe mode regardless to being connected to the internet

The second point is that before i used Spy Bot and Adaware the spyware was adding a ton of sites to my favorates and now it is down to only foru plus the home page.

I'm using a router with a firewall (linksys) and i also get the "win.min" error while shutting down if that helps you in finding out what is wrong with my system.

Logfile of HijackThis v1.97.7
Scan saved at 6:07:33 AM, on 19/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\grviewex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\walacgmggdjg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\deinst_qfe002.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\system_48073.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\Vet32.exe
C:\Documents and Settings\Ashraf\My Documents\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\ssflwbox.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
F0 - system.ini: Shell=Explorer.exe walacgmggdjg.exe
F1 - win.ini: run=fset.exe, jwhw.exe, xefxp.exe, guqlbp.exe, uikcgdkcx.exe, suwotlwxnldpw.exe, diynyapbnvxi.exe, ioajrthafjhoy.exe, poosjlnihqtnv.exe, lkwi.exe, bpmaaeolmuudc.exe, seexlt.exe, fcvuksngm.exe, mgowoexx.exe, ilvb.exe, walacgmggdjg.exe
F2 - REG:system.ini: Shell=Explorer.exe walacgmggdjg.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinLoader] walacgmggdjg.exe
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Grviewex] c:\windows\system32\grviewex.exe
O4 - HKLM\..\Run: [EHVYMUYU] c:\windows\system32\ehvymuyu.exe /install
O4 - HKLM\..\Run: [BTYURGNJ] c:\windows\system32\btyurgnj.exe /install
O4 - HKLM\..\Run: [NJAZZGSG] c:\windows\system32\njazzgsg.exe /install
O4 - HKLM\..\Run: [FEJONDWY] c:\windows\system32\fejondwy.exe /install
O4 - HKLM\..\Run: [RXOONTPF] c:\windows\system32\rxoontpf.exe /install
O4 - HKLM\..\Run: [TTDSPXGU] c:\windows\system32\ttdspxgu.exe /install
O4 - HKLM\..\Run: [TGJGESBR] c:\windows\system32\tgjgesbr.exe /install
O4 - HKLM\..\Run: [PGEFPVOK] c:\windows\system32\pgefpvok.exe /install
O4 - HKLM\..\Run: [JZNGYSJF] c:\windows\system32\jzngysjf.exe /install
O4 - HKLM\..\Run: [GERCZRRO] c:\windows\system32\gerczrro.exe /install
O4 - HKLM\..\Run: [PCRUHJIG] c:\windows\system32\pcruhjig.exe /install
O4 - HKLM\..\Run: [OBJGRGLS] c:\windows\system32\objgrgls.exe /install
O4 - HKLM\..\Run: [JDSHMOFL] c:\windows\system32\jdshmofl.exe /install
O4 - HKLM\..\Run: [QFAEVJZA] c:\windows\system32\qfaevjza.exe /install
O4 - HKLM\..\Run: [NEACDTZP] c:\windows\system32\neacdtzp.exe /install
O4 - HKLM\..\Run: [TVXMTRPI] c:\windows\system32\tvxmtrpi.exe /install
O4 - HKLM\..\Run: [WDUYLXWA] c:\windows\system32\wduylxwa.exe /install
O4 - HKLM\..\Run: [XSNZYNUS] c:\windows\system32\xsnzynus.exe /install
O4 - HKLM\..\Run: [PLXYXGUO] c:\windows\system32\plxyxguo.exe /install
O4 - HKLM\..\Run: [CTQMITJW] c:\windows\system32\ctqmitjw.exe /install
O4 - HKLM\..\Run: [SARJFQWD] c:\windows\system32\sarjfqwd.exe /install
O4 - HKLM\..\Run: [FODJZLXA] c:\windows\system32\fodjzlxa.exe /install
O4 - HKLM\..\Run: [EZSSHMES] c:\windows\system32\ezsshmes.exe /install
O4 - HKLM\..\Run: [SJZQTYJT] c:\windows\system32\sjzqtyjt.exe /install
O4 - HKLM\..\Run: [WLCRHHCN] c:\windows\system32\wlcrhhcn.exe /install
O4 - HKLM\..\Run: [UQNPBBRB] c:\windows\system32\uqnpbbrb.exe /install
O4 - HKLM\..\Run: [HUEWJRNB] c:\windows\system32\huewjrnb.exe /install
O4 - HKLM\..\Run: [HXIFAOIL] c:\windows\system32\hxifaoil.exe /install
O4 - HKLM\..\Run: [HRUXFUQK] c:\windows\system32\hruxfuqk.exe /install
O4 - HKLM\..\Run: [GSNPIZTH] c:\windows\system32\gsnpizth.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XrxMastRun] D:\pwsgi\instNT\MastNT.EXE /Continue
O4 - HKLM\..\Run: [XACYAPDT] c:\windows\system32\xacyapdt.exe /install
O4 - HKLM\..\RunServices: [WinLoader] walacgmggdjg.exe
O4 - HKLM\..\RunServices: [] walacgmggdjg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Ashraf\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PlaceWare Console: PWS-CC2K-4-1-1-0-3-l9l8n6 - http://www48.placeware.com/etc/pwc/sigg/lib/cc-full.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1813d2d803eb65205922/netzip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v44/bjattack/bjattack.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.3439699074
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/sonypictures/meninblackII/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll
O16 - DPF: {DD1FA138-39F5-4DF5-BD04-6D814AD0C7D9} (IPhone Class) - http://www.rhinobell.com/PC2Phone.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Thanks for all the effort

ufsguy 0 Newbie Poster · Answer 5 · 2004-06-19T18:43:44+00:00

By the way, what do u advise me to fix on this log,...all of them? i choose only the first 4 or 5 to fix because they're the ones with the "your-search.com"

It could be as simple as just chosing the right line to fix!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2004-06-19T19:24:37+00:00

You realise that ALL windows have to be closed when *fixing* with CWShredder?? Folder windows also. Anyways, try this:

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

F0 - system.ini: Shell=Explorer.exe walacgmggdjg.exe

F1 - win.ini: run=fset.exe, jwhw.exe, xefxp.exe, guqlbp.exe, uikcgdkcx.exe, suwotlwxnldpw.exe, diynyapbnvxi.exe, ioajrthafjhoy.exe, poosjlnihqtnv.exe, lkwi.exe, bpmaaeolmuudc.exe, seexlt.exe, fcvuksngm.exe, mgowoexx.exe, ilvb.exe, walacgmggdjg.exe

F2 - REG:system.ini: Shell=Explorer.exe walacgmggdjg.exe

O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)

O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)

O4 - HKLM\..\Run: [WinLoader] walacgmggdjg.exe
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
O4 - HKLM\..\Run: [Grviewex] c:\windows\system32\grviewex.exe
O4 - HKLM\..\Run: [EHVYMUYU] c:\windows\system32\ehvymuyu.exe /install
O4 - HKLM\..\Run: [BTYURGNJ] c:\windows\system32\btyurgnj.exe /install
O4 - HKLM\..\Run: [NJAZZGSG] c:\windows\system32\njazzgsg.exe /install
O4 - HKLM\..\Run: [FEJONDWY] c:\windows\system32\fejondwy.exe /install
O4 - HKLM\..\Run: [RXOONTPF] c:\windows\system32\rxoontpf.exe /install
O4 - HKLM\..\Run: [TTDSPXGU] c:\windows\system32\ttdspxgu.exe /install
O4 - HKLM\..\Run: [TGJGESBR] c:\windows\system32\tgjgesbr.exe /install
O4 - HKLM\..\Run: [PGEFPVOK] c:\windows\system32\pgefpvok.exe /install
O4 - HKLM\..\Run: [JZNGYSJF] c:\windows\system32\jzngysjf.exe /install
O4 - HKLM\..\Run: [GERCZRRO] c:\windows\system32\gerczrro.exe /install
O4 - HKLM\..\Run: [PCRUHJIG] c:\windows\system32\pcruhjig.exe /install
O4 - HKLM\..\Run: [OBJGRGLS] c:\windows\system32\objgrgls.exe /install
O4 - HKLM\..\Run: [JDSHMOFL] c:\windows\system32\jdshmofl.exe /install
O4 - HKLM\..\Run: [QFAEVJZA] c:\windows\system32\qfaevjza.exe /install
O4 - HKLM\..\Run: [NEACDTZP] c:\windows\system32\neacdtzp.exe /install
O4 - HKLM\..\Run: [TVXMTRPI] c:\windows\system32\tvxmtrpi.exe /install
O4 - HKLM\..\Run: [WDUYLXWA] c:\windows\system32\wduylxwa.exe /install
O4 - HKLM\..\Run: [XSNZYNUS] c:\windows\system32\xsnzynus.exe /install
O4 - HKLM\..\Run: [PLXYXGUO] c:\windows\system32\plxyxguo.exe /install
O4 - HKLM\..\Run: [CTQMITJW] c:\windows\system32\ctqmitjw.exe /install
O4 - HKLM\..\Run: [SARJFQWD] c:\windows\system32\sarjfqwd.exe /install
O4 - HKLM\..\Run: [FODJZLXA] c:\windows\system32\fodjzlxa.exe /install
O4 - HKLM\..\Run: [EZSSHMES] c:\windows\system32\ezsshmes.exe /install
O4 - HKLM\..\Run: [SJZQTYJT] c:\windows\system32\sjzqtyjt.exe /install
O4 - HKLM\..\Run: [WLCRHHCN] c:\windows\system32\wlcrhhcn.exe /install
O4 - HKLM\..\Run: [UQNPBBRB] c:\windows\system32\uqnpbbrb.exe /install
O4 - HKLM\..\Run: [HUEWJRNB] c:\windows\system32\huewjrnb.exe /install
O4 - HKLM\..\Run: [HXIFAOIL] c:\windows\system32\hxifaoil.exe /install
O4 - HKLM\..\Run: [HRUXFUQK] c:\windows\system32\hruxfuqk.exe /install
O4 - HKLM\..\Run: [GSNPIZTH] c:\windows\system32\gsnpizth.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XrxMastRun] D:\pwsgi\instNT\MastNT.EXE /Continue
O4 - HKLM\..\Run: [XACYAPDT] c:\windows\system32\xacyapdt.exe /install
O4 - HKLM\..\RunServices: [WinLoader] walacgmggdjg.exe
O4 - HKLM\..\RunServices: [] walacgmggdjg.exe
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe
O4 - Global Startup: winlgn.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1813d2d...ip/RdxIE601.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://www.gxplugin.com/loader/dll/gxbplug.dll

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

c:\windows\system32\mscnt.exe< file
c:\windows\system32\grviewex.exe< file
c:\windows\system32\ehvymuyu.exe< file
c:\windows\system32\btyurgnj.exe< file
c:\windows\system32\njazzgsg.exe< file
c:\windows\system32\fejondwy.exe< file
c:\windows\system32\rxoontpf.exe< file
c:\windows\system32\ttdspxgu.exe< file
c:\windows\system32\tgjgesbr.exe< file
c:\windows\system32\pgefpvok.exe< file
c:\windows\system32\jzngysjf.exe< file
c:\windows\system32\gerczrro.exe< file
c:\windows\system32\pcruhjig.exe< file
c:\windows\system32\objgrgls.exe< file
c:\windows\system32\jdshmofl.exe< file
c:\windows\system32\qfaevjza.exe< file
c:\windows\system32\neacdtzp.exe< file
c:\windows\system32\tvxmtrpi.exe< file
c:\windows\system32\wduylxwa.exe< file
c:\windows\system32\xsnzynus.exe< file
c:\windows\system32\plxyxguo.exe< file
c:\windows\system32\ctqmitjw.exe< file
c:\windows\system32\sarjfqwd.exe< file
c:\windows\system32\fodjzlxa.exe< file
c:\windows\system32\ezsshmes.exe< file
c:\windows\system32\sjzqtyjt.exe< file
c:\windows\system32\wlcrhhcn.exe< file
c:\windows\system32\uqnpbbrb.exe< file
c:\windows\system32\huewjrnb.exe< file
c:\windows\system32\hxifaoil.exe< file
c:\windows\system32\hruxfuqk.exe< file
c:\windows\system32\gsnpizth.exe< file
D:\pwsgi\instNT\MastNT.EXE< file
c:\windows\system32\xacyapdt.exe< file
C:\windows\system32\grviewex.exe< file
C:\WINDOWS\walacgmggdjg.exe< file
C:\WINDOWS\system32\deinst_qfe002.exe< file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe< file
C:\WINDOWS\system32\system_48073.dat< file
C:\WINDOWS\System32\ssflwbox.scr< file

Reboot normally after doing the above then post a fresh log plz.

caperjack 875 I hate 20 Questions Team Colleague · Answer 7 · 2004-06-19T23:51:11+00:00

I sure spybotand Ad-aware would remove most if not all of those files wouldn't it

ufsguy 0 Newbie Poster · Answer 8 · 2004-06-20T08:49:44+00:00

Hurray,...we've done it

Here is how it happened, instead of deleting just the you-search.com i deleted (fixed) all the line that i did not know to belong to specific applications that i need.

Now that moved me just one step ahead bu didn't fix it yet!!

After i did that the adding of favorate websites and the change of the home page stopped for as long as i kept my home page to "about:blank" it it kept comming back if i changed my home page to anything else.

After that i went to Internt Explorer updates and down loaded them, rebooted and changed my home page to what i wanted it to be and everything is ok.

apart from that i was doing every thing as you were saying here including closing windows, safe mode and all that stuff.

Here is my current log and let me know if you think anything in it is abnormal

Logfile of HijackThis v1.97.7
Scan saved at 8:55:47 PM, on 19/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ashraf\My Documents\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Ashraf\Application Data\Mozilla\Profiles\default\5551iur6.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {DD1FA138-39F5-4DF5-BD04-6D814AD0C7D9} (IPhone Class) - http://www.rhinobell.com/PC2Phone.cab

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2004-06-20T08:52:35+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Looks like you did an excellent job :)

ufsguy 0 Newbie Poster · Answer 10 · 2004-06-20T09:11:26+00:00

Are those donations go to support your website?...i'm going to put a small donation right now.

Thanks folks for all your help

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2004-06-20T09:26:19+00:00

Are those donations go to support your website?...i'm going to put a small donation right now.
Thanks folks for all your help

Yes, it's for the support of the website. Thank you very much, it is appreciated :)

Yzk 70 Posting Whiz · Answer 12 · 2004-06-21T16:23:43+00:00

wow, like that totally shortened out the Log! Nice going!

Internet Explorer hijacked

Recommended Answers Collapse Answers

All 16 Replies

Recommended Answers