automatic bookmarks

Discussion in 'adware, spyware & hijack cleaning' started by rosiep, Jan 28, 2004.

Thread Status:
Not open for further replies.
  1. rosiep
    Offline

    rosiep Guest

    I am about ready to download hijackthis as I have already done as-aware and spybot. EVERY time I go to internet explorer I have automatic bookmarks, and some quite appropriate ones. They appear no matter what I do to delete them. The are also on other uses names as well. Will hijackthis get rid of them and how do I get support for this? I was told that I shouldn't delete everything that is brought up by this program. Thanks so much for any help. These bookmark invasions are driving me crazy. I also do not have my saved home page but something else--every time i go to ie!
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi rosiep,

    From your description I would advise you to download and run CWShredder
    then follow the directions posted here: http://www.wilderssecurity.com/showthread.php?t=15913
    and someone will be happy to help you analyze your HijackThis log.

    Regards,

    Pieter
  3. rosiep
    Offline

    rosiep Registered Member

    Here is the log I received. Any help pleaseo_O THANKS!!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 5:46:15 PM, on 1/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINNT\system32\crypserv.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\program files\GlobalDialer\domer00084\gd-dial.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Navnt\navwnt.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\WS_FTP\WS_FTP95.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\explorer.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omega-search.com/panel_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\Winnt\System32\SYSTEM~2.DLL
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [qwjldrgr] C:\WINNT\ncimhapg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Aosa] C:\Documents and Settings\Administrator\Application Data\olss.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Navnt\navapw32.exe
    O4 - Global Startup: winlogon.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.5371875
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4317/mcfscan.cab
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi rosiep,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omega-search.com/panel_search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html

    R3 - Default URLSearchHook is missing
    O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\Winnt\System32\SYSTEM~2.DLL <= KEYLOGGER

    O4 - HKLM\..\Run: [qwjldrgr] C:\WINNT\ncimhapg.exe

    O4 - HKLM\..\Run: [Antivirus] C:\WINNT\av.exe

    O4 - HKCU\..\Run: [Aosa] C:\Documents and Settings\Administrator\Application Data\olss.exe

    O4 - Global Startup: winlogon.exe

    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

    Then reboot, into safe mode
    and delete:
    C:\WINNT\ncimhapg.exe
    C:\WINNT\av.exe
    C:\Documents and Settings\Administrator\Application Data\olss.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe <= only the one in that directory, do NOT delete any other files with that name.

    Regards,

    Pieter
Thread Status:
Not open for further replies.