browser hj

Discussion in 'adware, spyware & hijack cleaning' started by ange, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. ange

    ange Guest

    every time i boot up browser hijack blaster tells me that i've got two pages trying to ghange my home page...ran adaware, s&d, spyware blaster.....need help. here's my log file can some have look and see if theres anything wrong pleaseo_Othanks....ange o_O

    Logfile of HijackThis v1.97.3
    Scan saved at 10:48:41 AM, on 1/3/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microangelo\muamgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Browser Hijack Blaster\bhblaster.exe
    C:\Program Files\Winamp\winamp.exe
    E:\appz\Net Security appz\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=359
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=359
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.rack.cc/h.php?aid=359
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://t.rack.cc/s.php?aid=359
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://t.rack.cc/s.php?aid=359
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://t.rack.cc/s.php?aid=359
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://t.rack.cc/h.php?aid=359
    O1 - Hosts: 205.177.124.66 auto.search.msn.com
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O6 "USB001" /M "Stylus C61"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKCU\..\Run: [IridiumTimeWizard] I:\\iridium.exe
    O4 - Startup: B H Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi ange :)

    Welcome to wilders.

    Please download and run CWshredder at this link

    http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then post another HighjackThis log and the moderators

    will give further recommendations.




    snowbound
     
  3. ange

    ange Guest

    seems to have done the trick, thanks mate your a legend!!!! have a look at and see if thats all i have to worry about....thanks again...ange!! ;)

    Logfile of HijackThis v1.97.3
    Scan saved at 11:38:53 AM, on 1/3/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microangelo\muamgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Browser Hijack Blaster\bhblaster.exe
    E:\appz\Net Security appz\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aifind.cc/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C61 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C61 Series" /O6 "USB001" /M "Stylus C61"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKCU\..\Run: [IridiumTimeWizard] I:\\iridium.exe
    O4 - Startup: B H Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi ange :D

    Your welcome.

    The moderators will help u with the rest of it as i am not an expert on how to read these HJT logs.

    Still in the learning stages! ;)

    Be patient as most of the moderators who read these logs are in different time zones.

    Good luck.



    snowbound
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    One thing i can recommend to u is to switch from Brower HighjackBlaster to Spywareguard 2.2

    Spywareguard2.2 is more powerful and has Realtime scanning, Download protection and Browser highjack protection. It is another excellent Javacool product.

    Have a look here,

    http://www.majorgeeks.com/download3045.html

    Use the BTN mirror if u decide to try it.



    snowbound
     
  6. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Might want to download the very latest version of HijackThis as well(1.97.7) just to be on the safeside.

    http://www.merijn.org/files/hijackthis.zip
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi ange,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://aifind.cc/

    Then reboot.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.