hijacked - log attached

Discussion in 'adware, spyware & hijack cleaning' started by Simonnn, Dec 14, 2003.

Thread Status:
Not open for further replies.
  1. Simonnn

    Simonnn Guest

    When I enter www.google.com in address bar I am displayed a page that wants me to go to www.privacyoutpost.com

    Hijackthis log: - thanking some kind person in advance...

    Logfile of HijackThis v1.97.7
    Scan saved at 7:06:06 AM, on 15/12/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Mouse Driver\4DMAIN.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\12Ghosts\12popup.exe
    C:\Program Files\monitor\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.optusnet.com.au/
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse Driver\4DMAIN.EXE
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: http://www.battle.net
    O15 - Trusted Zone: http://broadband.optusnet.com.au
    O15 - Trusted Zone: http://www.smh.com.au
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Simonnn,

    That one is new to me and I can´t find any reason for it in your log.

    Does the same thing happen when you use a link to google or when you go directly to http://216.239.59.99/ ?

    Regards,

    Pieter
     
  3. Simonnn

    Simonnn Guest

    Pieter,

    nativating to the IP address is fine. Refresh from source (control-F5) also works and takes me to the real google (actually google.com.au since there is a local version.

    I also found a reference in the following forum which described similar symptons.

    www.computing.net/windowsxp/wwwboard/forum/86733.html

    This post suggested Qhosts as the culprit. I downloaded and ran FixQhost.exe from Symantic but it came out negative. Another reference I found suggested CoolWebSearch hihack - so I ran cwshredder.exe - also negative.

    I can recall this behaviour some time in the past (only been on-line 3 1/2 months) but IE had been behaving fine for a while. Put this down to something lingering in cache.

    My Norton AV is up to date and Windows is on automatic downloading of patches.

    Will try lavasoft & bhodemon as recommended by a colleague.

    Thanks for taking trouble to reply
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi simonnn,

    While trying to investigate your problem I came across a form where people could complain about spam and other annoyances related to privacyoutpost.

    Since I wasn't sure if it could be trusted I took the liberty of complaining on your behalf. ;)

    If anything useful arises I will keep you posted, but sofar there was no answer.

    Regards,

    Pieter
     
  5. Simonnn

    Simonnn Guest

    Ran Adaware from Lavasoft and it detected a cookie that I've seen mentioned in related posts and removed it. Not re-appeared. www.google.com has been working OK for 24 hours or so, so I think the problem is resolved.

    I just wonder if this is one manifestation of a infestation that is still there. However I have learned lots these last two days not least of which there are some helpful people out there such as yourself.

    Fingers crossed I don't need to post again!
     
Thread Status:
Not open for further replies.