Browser hijacked - Please help

Pieter_Arntz · Jul 1, 2004

Hi Fiddler,

I hadn't forgotten about you. Just been extremely busy.
Sorry about that.

Could you please make a new log using this version of HijackThis : https://www.wilderssecurity.com/supportfiles/HijackThis1980.exe

It still has a few bugs, but it may learn us something more.

Regards,

Pieter

Fiddler · Jul 1, 2004

Pieter - Great to hear from you again - I know you're busy, can't imagine when you sleep. Ran the new hijcakthis, some error messages, but it completed - here 'tis

Logfile of HijackThis v1.98.0
Scan saved at 7:19:24 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAM_2K.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MG\Desktop\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 192.1.1.2 mris_sv1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [tcactive] tca.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S2DD.tmp"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab

All the best
Fiddler

Pieter_Arntz · Jul 1, 2004

Too bad. Nothing interesting. It was worth a shot.

Did you already try the latest version of CWShredder? 1.59.1

Fix the R0's with HijackThis.

Regards,

Pieter

Fiddler · Jul 1, 2004

Pieter - ran the latest Shredder, always this message at end -

Done!
Removed from your system:
- CWS.Jksearch

Fixed R0's in new hijackthis, always comes right back.

Best,
Fiddler

Pieter_Arntz · Jul 1, 2004

Hi Fiddler,

I am going to list a few filenames CWS uses a lot.
Can you do a Find Files for them?
If anything gets found let me know where it was found.

jsconsole.dll
notepad.COM
HPCMDTY.DLL
system32.dll
c_10230.dll

Regards,

Pieter

Fiddler · Jul 1, 2004

Pieter - Nada found

Best
Fiddler

Fiddler · Jul 7, 2004

Pieter - This time I really do think you've forgotten me. Any ideas at all, short of re-formatting the whole gabballio?

Your efforts are much appreciated.
Fiddler

Fiddler · Jul 7, 2004

Pieter - I have found a convenient, if half-baked solution to my browser hijack. I simply went to the msn.com page and created a shortcut on the desktop - the icon is almost the same as the IE explorer icon - And it works. The question remains: is the hijacking causing any other mischief that could be damaging my privacy or hurting the system??

Back to you.

Fiddler.

Fiddler · Jul 12, 2004

Pieter - I'm still out there with that old problem. Any ideas? any new software to help? Any other forums I should try? Please let me know you haven't given up on this problem.
All the best
Fiddler

Log in or Sign up

Browser hijacked - Please help

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Fiddler Registered Member

Fiddler Registered Member

Fiddler Registered Member

Log in or Sign up

Browser hijacked - Please help

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Pieter_Arntz Spyware Veteran

Fiddler Registered Member

Fiddler Registered Member

Fiddler Registered Member

Fiddler Registered Member

Useful Searches