another hijack log

Discussion in 'privacy problems' started by fastdog29, Jul 19, 2003.

Thread Status:
Not open for further replies.
  1. fastdog29

    fastdog29 Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    20
    Location:
    Coventry,U.K.
    Logfile of HijackThis v1.95.1
    Scan saved at 08:03:21, on 19/07/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE
    C:\WINDOWS\SYSTEM\OPTMOUSE.EXE
    D:\NOADS\NOADS.EXE
    C:\PROGRAM FILES\QUICK VIEW PLUS\PROGRAM\QVP32.EXE
    C:\PROGRAM FILES\ISS\BLACKICE\BLACKICE.EXE
    F:\TRANSPARENT42\TRANSPARENTB.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    E:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcadvisor.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC Advisor
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.lycos.com/cgi-bin/pursuit?query=%s (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.6:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
    O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
    O4 - HKLM\..\Run: [OPTMOUSEMOUSE] C:\WINDOWS\SYSTEM\optmouse.exe
    O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadBlackD] "C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.EXE"
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [NoAds] "D:\NOADS\NOADS.EXE"
    O4 - Startup: Qvp32.exe.lnk = C:\Program Files\Quick View Plus\PROGRAM\QVP32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Startup: TransparentB.exe.lnk = F:\Transparent42\TransparentB.exe
    O4 - Startup: ENSMIX32.EXE.lnk = C:\WINDOWS\ENSMIX32.EXE
    O4 - User Startup: Qvp32.exe.lnk = C:\Program Files\Quick View Plus\PROGRAM\QVP32.EXE
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - User Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - User Startup: TransparentB.exe.lnk = F:\Transparent42\TransparentB.exe
    O4 - User Startup: ENSMIX32.EXE.lnk = C:\WINDOWS\ENSMIX32.EXE
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcadvisor.co.uk
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37591.8198032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
    O16 - DPF: ConferenceRoom Java Client (UniVoiceX Control) - http://198.64.183.19:8000/java/cr.cab
    *********************************************
    The following are two posts I made to another forum,but which explain my problem:
    starting my browser the other day I got this in my address bar http://www.yoogee.com ,puzzled as to where it had come from I tried to "lose" it ,to no avail.
    It turned out to be linked to a program called "Internet Optimizer",which fortunately I was able to un-install,running Nortons syscheck cleared the shortcuts away and the now dead reg entries(or so I thought!).
    On restarting ,there it was again!,so tried Ad-Aware and BEHOLD its a browser hijack!(malware),so after much updating and running of ad-aware I have removed all trace(I think) of this pain-in-the-a**e.However,what started all this was searching from the address bar,which brought up yoogee.com.
    So now you would think all would be well!...oh no!despite checking the registry and confirming that "autosearch" has msn.com listed ,using the address bar results in page not found errors(for searching).
    Avenue Media who make internet optimizer keep sending me the same mail about how to remove it and I'm not getting anywhere fast!!.
    there is no reference to yoogee,avenue media,internet optimizer,or any of the dll's that it used(see http://www.doxdesk.com/parasite/InternetOptimizer.html )in the registry ,and yet I am stuck!(oh, search from the toolbar still works!)any clues?
    AND*************************************
    ok,so I have tried spybot and pest patrol(spybot worked better than pp)BUT
    I still cannot search from the address bar,I cannot repair I.E(6.0+sp1)because it says that thumbvw.dll is version 5.50.4134.100 and needs to be 5.50.4134.600...and although I can find a version of this in c:\windows\vcm I do not know whether this is the same dll.Microsoft.com is no help at all,other than telling me what this file does!.(clear as mud).I have even re-installed win me and that made no difference either!---I did a search on Google for the dll in question and found an updated version,BUT I cannot install it in the right folder,because when I try instead of replacing it Windows stores it somewhere else
    It should go in the C:\Windows\System dir but instead it gets put in the C:\WINDOWS\SYSTEM\sfp\archive, EVEN if I delete the dll from the first sys folder it gets replaced by the original file (as if by magic!)...way past hair ripping stage ...all I want is my search from the address bar back pleeease?
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In Hijack This, check the following, then close all browser windows, and press "fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.lycos.com/cgi-bin/pursuit?query=%s (obfuscated)

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta


    Now restart your computer, and find and delete the content.hta file in that Application Data\Microsoft (? )\Intro folder.

    About the ENSMIX32.EXE file in your Startiup folder, I trust that's indeed a Sound card driver?

    Should your problem still exist after doing all of the above, download this regfile. It will restore the Windows defaults for practically everything Search-related.

    http://www.spywareinfoforum.com/downloads/tools/IEFIX.reg

    Save to disk, close all browser windows, double click the file and answer 'yes' when asked to merge.
    Restart your computer.

    Good luck,
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    About your thumbvw.dll version problem, you should be able to extract a copy from your Internet Explorer setup cabs, which will contain the version of the file that you need.

    If you have them, they'll probably be in a Windows update setup files folder.

    If no joy, you'll need to reinstall Internet Explorer.
     
  4. fastdog29

    fastdog29 Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    20
    Location:
    Coventry,U.K.
    ensmix32 is a sound card driver.have done what you suggested ,inluding the reg fix and guess what?,still no search from the address bar!.....oh yes the item listed as R3-URLSearchHook etc is still there ,when I check it and "fix it" I then get a box with a load of characters in it ,in various fonts ,is this right?
    ********************************
    However I cannot exract the thumb dll from the folder,do I need to do it in dos?(running win me).
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi fastdog 29,

    Try fixing the R3 items once more with HijackThis. Close all windows and as many programs as possible. Reboot after doing so. If ity still doesn't work could you make a screenshot of the box you get.

    About extracting files: http://www.duxcw.com/faq/win/extract.htm

    Regards,

    Pieter
     
  6. fastdog29

    fastdog29 Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    20
    Location:
    Coventry,U.K.
    :D :D :D :D :D...ALL HAIL TO THE CHIEFS!!!!!HALLELUJAH
    FINALLY I have my search back.....thanks to all who looked and gave me the benefit of their time and knowledge.
    ...err however I still cannot extract "thumbvw.dll as it says that it is protected from deletion/copying?(a minor point) o_O
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi fastdog29,

    Glad we could help you get rid of the hijack. :)

    Could you give me the exact error message you get and at what point in the process of trying to extract.?

    Regards,

    Pieter
     
  8. fastdog29

    fastdog29 Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    20
    Location:
    Coventry,U.K.
    Its ok,I managed to figure it out on my own(..crumbs!!)
    searching microsofts knowledge base using "copy/protected" as search terms I found exactly the right article.
    You have to disable "Statemgr" in the startup part of msconfig to allow the copying of protected files that "Windows System File Protection" would normally prevent. If I'm honest I do try to fix things myself,(using as much reference as possible),but the hijack thing had me stumped...any clues as to where Icould get a guide/help as to how to configure the "java permissions" part of I.E.(6.0)?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi fastdog 29,

    Have a look at the text I copied here: http://www.wilderssecurity.com/showthread.php?t=11861;start=msg77012#msg77012
    That should put you on the right track.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.