hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by TwistedTiger, Mar 20, 2004.

Thread Status:
Not open for further replies.
  1. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    Scanned with spysweeper, spybot s&d, ad aware, spy hunter and norton ativirus 2004. Had to turn off anti virus protection to save the hijackthis log, kept getting virus alert object name: C:\Documents and S...\hijackthis.log Virus name Bloodhound.Exploit.6 Action taken: Unable to repair this file. The virus scan doesn't pick it up durind a normal scan and it is only a problem when I try to save my hijack log. The main problem I am having is my browser is hijacked and if I change it back it changes again immediately. Hijacks to about.blank. any help would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:21:35 AM, on 3/20/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\me\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - WWW. Prefix: http://%65%68% 74%74%70%2E%63%63/?
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09a1d8ba9a3d0114ed06/netzip/RdxIE601.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91EC0BA5-366C-41C2-9872-566B5BF3D7AC}: NameServer = 205.171.3.65 205.171.28.251
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Changed to avoid Bloodhound Exploit warning
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi TwistedTiger,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.ccsearch/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.ccsearch/ (obfuscated)
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O13 - WWW. Prefix: http://%65%68%74%74%70% 2E%63%63/?
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09a1d8ba9a3d0114ed06/netzip/RdxIE601.cab

    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Please download and run CWShredder written by Merijn (creator of HijackThis)
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and do yourself a favor, and uninstall SpyKiller and SpyHunter.

    Regards,

    Pieter

    Changed to avoid Bloodhound Exploit warning
     
  3. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    About to try the fixes you suggested thanks, but please explain why you suggest unistalling spykiller and spyhunter.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi TwistedTiger,

    I advised to remove them since you mentioned having AdAware and Spybot S&D.
    Those two are far better products IMO and more honest aboyt what they can do for you.

    Regards,

    Pieter
     
  5. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    Ran all the fixes and they worked, my home page is free again. Thanks for the info and the help. :) :) :)
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
  7. k3dc

    k3dc Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    33
    Location:
    Sunny Florida
    Hi Pieter,

    Boy, you gave him some GOOD advice there! :D I tried SpyKiller on my machine one time, and I'd rather have a dose of Klez than what it did to me.. :mad:

    Those programs are both, IMHO, not worth downloading; I don't trust either of them.

    Keep up the good work.
     
Thread Status:
Not open for further replies.