"Hijacked" with a twist

Discussion in 'adware, spyware & hijack cleaning' started by Stephen1959, May 22, 2004.

Thread Status:
Not open for further replies.
  1. Stephen1959
    Offline

    Stephen1959 Registered Member

    Well now, not only has my browser been hijacked but I am not allowed to left click on "My Computer" nor am I allowed to use "Tools > Internet Options > General > Settings > View Objects". My computer freezes if I attempt either. I have run ad-aware, hijackthis and norton anti-virus until I am blue in the face. I have emptied my temp files and cleared cookies. I am now going to post my hijackthis log in case anyone has come across the same problems and could make a suggestion. Thanks in advance. By the way, I've "Fix Checked" all of those named "http://cashsearch.biz/redir.php". They keep returning.

    PS: I would love to know who owns this domain name. They need to receive a nasty email along with a lawsuit.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:32:43 PM, on 5/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.bbc.co.uk"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\nnih4lzd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\nnih4lzd.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_16_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_16_0.DLL
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O12 - Plugin for .asp: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .mpeg: C:\WINDOWS\DESKTOP\BROWSERS\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://loginnet.passport.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37864.507337963
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
  2. Unzy
    Offline

    Unzy Registered Member

    Hi Stephen,

    Can you please download and run this tool :

    http://www.zerosrealm.com/downloads/pv.zip

    Unzip to folder of choice and doubleclick on runme9x.bat

    A log will open, can you please post that log here?

    Thnx

    Cheers,
  3. Stephen1959
    Offline

    Stephen1959 Registered Member

    Hello Unzy,
    I did what you asked. I clicked on the runme9x.bat and a menu popped up. The first three choices came up as bad command or file name. The fourth one I could access. Did you want a log from all five choices? Thanks.

    Stephen
  4. Unzy
    Offline

    Unzy Registered Member

    I needed a log from option 1

    Sorry I forgot to mention that.

    Is there no log created after running option one?

    If an error box pops up, you can just click OK, that can happen if you have scriptblocking or so

    Make sure you :

    -Unzipped to a folder

    -You are online

    -And have one internet window open (startpage or so, or whatever)

    Thnx

    Cheers,
  5. Stephen1959
    Offline

    Stephen1959 Registered Member

    Hi,
    No good. I clicked on option 1 and a blank notepad box appeared entitled "log".
  6. Unzy
    Offline

    Unzy Registered Member

    Ok,

    Can you check on your computer via start -> search -> files/folders if you find back the following file :

    system32.dll

    Thnx

    Cheers,
  7. Stephen1959
    Offline

    Stephen1959 Registered Member

    ok. I've made a copy of the file and put it in it's own folder. please excuse the time delay. when I try and do certain things on my computer it freezes and I am constantly rebooting. thanks for your assistance.
Thread Status:
Not open for further replies.