Hijack Log review needed - myexexex.com and file://c:/spad/start.html

Discussion in 'adware, spyware & hijack cleaning' started by White Devel, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. White Devel

    White Devel Registered Member

    Joined:
    May 25, 2004
    Posts:
    6
    Scaned with adaware pestpatrol and spybot.
    What do i need to removeo_O
    Spybot detects common hyjacker but fails to remove/fix problem.
    Internet explorer also is now prone to errors, closes and sends error message. more than likely it has become corrupt.


    Logfile of HijackThis v1.97.7
    Scan saved at 7:48:55 PM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Program Files\Antiy Labs\AGB4\gb.exe
    C:\Documents and Settings\Giroux. C\Desktop\CleanerZ\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?

    said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.sympatico.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search

    .php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/

    search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?

    said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/

    search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/

    search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search

    .php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by Me
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5

    .0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1

    \Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper

    .dll
    O2 - BHO: (no name) - {7a78634a-90a0-48cc-8dd2-bf140c537766} - (no file)
    O2 - BHO: (no name) - {7B2A9720-A1D1-4B0B-A3CB-515C7D7B48C8} - (no file)
    O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {dab8a1ed-16f2-4f8b-9115-84f16f37340a} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic

    Agent\CopernicAgentExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

    SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~2\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Spam Bully for Outlook Express] "C:\Program Files\Axaware\Spam Bully 2 for

    OE\oespambully.exe" install
    O4 - HKCU\..\RunOnce: [CyberScurb[V]] "C:\Program Files\CyberScrub Trial\silent.exe" /R /V
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo\memturbo.exe
    O4 - User Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo\memturbo.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

    Gamma Loader.exe
    O4 - Global Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo\memturbo.exe
    O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32

    \MetaProducts\Add_Url.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program

    Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic

    Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O14 - IERESET.INF: START_PAGE_URL=http://www1.sympatico.ca
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www1.sympatico.ca
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/

    qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.

    symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/76808a0e7

    ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.city.north-bay.on

    .ca/scripts/AxisCamControl.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/

    security/controls/SassCln.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class)

    - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello White !

    Unfortunately none of those programs are going to remove this Hijacker. This is a very new hijacker that just showed up in the last few days. Please proceed as follows:

    Go and download the file Pv.Zip from here..

    http://www.zerosrealm.com/downloads/pv.zip

    Unzip to folder and make sure you are online and have one explorer windows open (like startpage)

    Then doubleclick runme.bat, choose option 2 and post the log in a reply to be checked.

    With Thanks !
    Newkid !
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.