automatic bookmarks

#1 January 28th, 2004, 03:22 PM

I am about ready to download hijackthis as I have already done as-aware and spybot. EVERY time I go to internet explorer I have automatic bookmarks, and some quite appropriate ones. They appear no matter what I do to delete them. The are also on other uses names as well. Will hijackthis get rid of them and how do I get support for this? I was told that I shouldn't delete everything that is brought up by this program. Thanks so much for any help. These bookmark invasions are driving me crazy. I also do not have my saved home page but something else--every time i go to ie!

Pieter_Arntz · #2 January 28th, 2004, 03:46 PM

Hi rosiep,

From your description I would advise you to download and run CWShredder
then follow the directions posted here: http://www.wilderssecurity.com/showthread.php?t=15913
and someone will be happy to help you analyze your HijackThis log.

Regards,

Pieter

rosiep · #3 January 28th, 2004, 05:49 PM

Here is the log I received. Any help please

THANKS!!!!

Logfile of HijackThis v1.97.7
Scan saved at 5:46:15 PM, on 1/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\crypserv.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\GlobalDialer\domer00084\gd-dial.exe
C:\Program Files\Navnt\navapw32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Navnt\navwnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\WS_FTP\WS_FTP95.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\explorer.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omega-search.com/panel_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\Winnt\System32\SYSTEM~2.DLL
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [qwjldrgr] C:\WINNT\ncimhapg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aosa] C:\Documents and Settings\Administrator\Application Data\olss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Navnt\navapw32.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.5371875
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4317/mcfscan.cab

Pieter_Arntz · #4 January 29th, 2004, 02:43 AM

Hi rosiep,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omega-search.com/panel_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html

R3 - Default URLSearchHook is missing
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\Winnt\System32\SYSTEM~2.DLL <= KEYLOGGER

O4 - HKLM\..\Run: [qwjldrgr] C:\WINNT\ncimhapg.exe

O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe

O4 - HKCU\..\Run: [Aosa] C:\Documents and Settings\Administrator\Application Data\olss.exe

O4 - Global Startup: winlogon.exe

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

Then reboot, into safe mode
and delete:
C:\WINNT\ncimhapg.exe
C:\WINNT\av.exe
C:\Documents and Settings\Administrator\Application Data\olss.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe <= only the one in that directory, do NOT delete any other files with that name.

Regards,

Pieter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search