hijacked - log attached

Discussion in 'adware, spyware & hijack cleaning' started by Simonnn, Dec 14, 2003.

Thread Status:
Not open for further replies.
  1. Simonnn

    Simonnn Guest

    When I enter www.google.com in address bar I am displayed a page that wants me to go to www.privacyoutpost.com

    Hijackthis log: - thanking some kind person in advance...

    Logfile of HijackThis v1.97.7
    Scan saved at 7:06:06 AM, on 15/12/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Mouse Driver\4DMAIN.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\12Ghosts\12popup.exe
    C:\Program Files\monitor\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.optusnet.com.au/
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Mouse Driver\4DMAIN.EXE
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O15 - Trusted Zone: http://www.battle.net
    O15 - Trusted Zone: http://broadband.optusnet.com.au
    O15 - Trusted Zone: http://www.smh.com.au
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Simonnn,

    That one is new to me and I can´t find any reason for it in your log.

    Does the same thing happen when you use a link to google or when you go directly to http://216.239.59.99/ ?

    Regards,

    Pieter
     
  3. Simonnn

    Simonnn Guest

    Pieter,

    nativating to the IP address is fine. Refresh from source (control-F5) also works and takes me to the real google (actually google.com.au since there is a local version.

    I also found a reference in the following forum which described similar symptons.

    www.computing.net/windowsxp/wwwboard/forum/86733.html

    This post suggested Qhosts as the culprit. I downloaded and ran FixQhost.exe from Symantic but it came out negative. Another reference I found suggested CoolWebSearch hihack - so I ran cwshredder.exe - also negative.

    I can recall this behaviour some time in the past (only been on-line 3 1/2 months) but IE had been behaving fine for a while. Put this down to something lingering in cache.

    My Norton AV is up to date and Windows is on automatic downloading of patches.

    Will try lavasoft & bhodemon as recommended by a colleague.

    Thanks for taking trouble to reply
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi simonnn,

    While trying to investigate your problem I came across a form where people could complain about spam and other annoyances related to privacyoutpost.

    Since I wasn't sure if it could be trusted I took the liberty of complaining on your behalf. ;)

    If anything useful arises I will keep you posted, but sofar there was no answer.

    Regards,

    Pieter
     
  5. Simonnn

    Simonnn Guest

    Ran Adaware from Lavasoft and it detected a cookie that I've seen mentioned in related posts and removed it. Not re-appeared. www.google.com has been working OK for 24 hours or so, so I think the problem is resolved.

    I just wonder if this is one manifestation of a infestation that is still there. However I have learned lots these last two days not least of which there are some helpful people out there such as yourself.

    Fingers crossed I don't need to post again!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.