Someone is hijacking my computer.

Question

satch 0 Newbie Poster

19 Years Ago

Someone is hijacking my computer. My daughter uses AOL Instant messenger and a website called livejournal.com. Someone, we have an idea who, is finding out her passwords and usernames for both and going into delete files and leave nasty comments in the journal and using her Instant messenger screenname. Whenever she creates a new account on either with a brand new password, they do the same thing the next day. The same person is also doing it to her boyfriend. I believe that they have done it to my email as well, since I couldn't get into mine about the same time.

I have Adaware, AShampoo and McAfee Virus and Firewall. I only recently installed these when I started getting some virus' and an multitude of spyware crap. I checked the cables for a hardware "spyware" and ran the virus scans and adware programs. I've also ran hijackthis.exe but I don't want to delete anything that I shouldn't. Here's the log file for hijackthis.exe;

Logfile of HijackThis v1.98.0
Scan saved at 10:25:48 PM, on 8/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\netie.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Fmctrl.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\MOUSES~1\bally4d.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\system32\ntwv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\winzip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Rob\Robstuff\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yosrx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yosrx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yosrx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yosrx.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8EE36A68-FD0C-A0E3-6ED8-6C6AA78C8DF5} - C:\WINNT\ntfc32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SSWPlauncher] C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe /app:SSWPlauncher
O4 - HKLM\..\Run: [ntwv.exe] C:\WINNT\system32\ntwv.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [WndMsg] C:\WINNT\kl4.cap
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\winzip\WZQKPICK.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Can someone please help me figure out if any of the above is spyware that they are using to hijack my computer?

Please help.

windows-virus

2 Contributors
4 Replies
197 Views
1 Day Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

All 4 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

The following could be the problem file. It is a keylogger which logs every key stroke.

O4 - HKLM\..\RunServices: [WndMsg] C:\WINNT\kl4.cap

Do the following as you also have other pressing stuff such as an hijackrd browser.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yosrx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yosrx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yosrx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yosrx.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8EE36A68-FD0C-A0E3-6ED8-6C6AA78C8DF5} - C:\WINNT\ntfc32.dll

O4 - HKLM\..\Run: [ntwv.exe] C:\WINNT\system32\ntwv.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [WndMsg] C:\WINNT\kl4.cap

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

Click here for instructions on how to boot into safe mode.

Boot up in safe mode & delete the following manually;

C:\Program Files\Common Files\CMEII-folder
C:\WINNT\kl4.cap-file

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode. Rescan with hijackthis & post another log.

Also go here for Gator removal instructions; http://www.pchell.com/support/gator.shtml

Do you have a firewall? If not, download & install the one from the link in my signature. It's free :).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

satch 0 Newbie Poster · Answer 1 · 2004-08-19T09:56:09+00:00

Wow. You're my hero. You gave me so much useful information. I did everything that you suggested. As you requested, here's the log file I did last. Hopefully all goes well at this point. If not, I no where to go. Please let me know if there is anything else below that I should take care of. I am finally a happy boy again. Thanks so much.

Logfile of HijackThis v1.98.0
Scan saved at 9:00:06 PM, on 8/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Fmctrl.EXE
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\MOUSES~1\bally4d.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\MMaestro\BWheel35.exe
C:\WINNT\system32\ntwv.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\winzip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Rob\Robstuff\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINNT\system32\IETie.dll (file missing)
O2 - BHO: (no name) - {DD856B29-AAF7-7455-8E7B-7FE00B4D9DA7} - C:\WINNT\system32\netvz32.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SSWPlauncher] C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe /app:SSWPlauncher
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [ntwv.exe] C:\WINNT\system32\ntwv.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\winzip\WZQKPICK.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

satch 0 Newbie Poster · Answer 2 · 2004-08-19T09:57:24+00:00

Sorry for the large text. I'm not sure what happened.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2004-08-19T16:04:00+00:00

No more large text :cheesy:

Still using the old version of hijackthis.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R3 - Default URLSearchHook is missing

O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINNT\system32\IETie.dll (file missing)
O2 - BHO: (no name) - {DD856B29-AAF7-7455-8E7B-7FE00B4D9DA7} - C:\WINNT\system32\netvz32.dll (file missing)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll (file missing)

O4 - HKLM\..\Run: [ntwv.exe] C:\WINNT\system32\ntwv.exe

Reboot into safe mode again & delete the following;

C:\WINNT\system32\ntwv.exe

Reboot normally & post the log from the updated HJT.

Someone is hijacking my computer.

Recommended Answers Collapse Answers

All 4 Replies

Recommended Answers