hijacked browser

Discussion in 'adware, spyware & hijack cleaning' started by MadMonkey, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. MadMonkey

    MadMonkey Guest

    I have recently fell victim to a hijacked browser. I used spy bot s&d to do the initial cleaning, while tinkering with various other programs i have noticed that one seems to always be reinstalling itself once it is removed, PURITYSCAN, it reinstalls after every reboot. Spybot S&D caught it and I rebooted (as per instruction) so it is probably showing up again in this log below Please help!!:) here is my hijack this log.



    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:28 AM, on 02/26/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\DMI\WIN32\BIN\WIN32SL.EXE
    C:\DMI\WIN32\BIN\DELLDMI.EXE
    C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\APPLICATION DATA\BSRT.EXE
    C:\WINDOWS\SYSTEM\WNSAPISV.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\DOWNLOAD\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mbe.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mbe.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [WIN32SL] c:\dmi\win32\bin\win32sl.exe -i -p -r
    O4 - HKLM\..\RunServices: [DellDmi] C:\DMI\WIN32\BIN\DELLDMI.EXE
    O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [Aeco] C:\WINDOWS\Application Data\bsrt.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapisv.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss002/bin/msi_cst.cab
    O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/bin/msi_registry.cab
    O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/bin/msi_shippingstation.cab
    O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/bin/msi_portenum.cab
    O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/bin/msi_printer.cab
    O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss002/bin/msi_scales.cab
    O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss002/bin/msi_axm.cab
    O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss002/bin/msi_posclient.cab
    O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/bin/cms_csz.cab
    O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss003/bin/msi_cszapi.cab
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://mbe.iship.com/pss002/bin/arview2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
    O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
    O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37901.2568402778
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: ViewTIFF for Java - http://imaging.landata.com/ViewTIFFJava/javabin/TIFFView.cab
    O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - http://mbe.iship.com/pss003/bin/msi_ratingx.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mbe.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.17.201,151.164.11.201
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi MadMonkey,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O4 - HKCU\..\Run: [Aeco] C:\WINDOWS\Application Data\bsrt.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapisv.exe

    Then reboot and delete:
    C:\WINDOWS\Application Data\bsrt.exe
    C:\WINDOWS\SYSTEM\wnsapisv.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.