hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by TwistedTiger, Mar 20, 2004.

Thread Status:
Not open for further replies.
  1. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    Scanned with spysweeper, spybot s&d, ad aware, spy hunter and norton ativirus 2004. Had to turn off anti virus protection to save the hijackthis log, kept getting virus alert object name: C:\Documents and S...\hijackthis.log Virus name Bloodhound.Exploit.6 Action taken: Unable to repair this file. The virus scan doesn't pick it up durind a normal scan and it is only a problem when I try to save my hijack log. The main problem I am having is my browser is hijacked and if I change it back it changes again immediately. Hijacks to about.blank. any help would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:21:35 AM, on 3/20/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\me\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - WWW. Prefix: http://%65%68% 74%74%70%2E%63%63/?
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09a1d8ba9a3d0114ed06/netzip/RdxIE601.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91EC0BA5-366C-41C2-9872-566B5BF3D7AC}: NameServer = 205.171.3.65 205.171.28.251
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Changed to avoid Bloodhound Exploit warning
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi TwistedTiger,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homzee.t.muxa.cc/s.php?aid=227 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.ccsearch/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.ccsearch/ (obfuscated)
    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O13 - WWW. Prefix: http://%65%68%74%74%70% 2E%63%63/?
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09a1d8ba9a3d0114ed06/netzip/RdxIE601.cab

    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

    Please download and run CWShredder written by Merijn (creator of HijackThis)
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and do yourself a favor, and uninstall SpyKiller and SpyHunter.

    Regards,

    Pieter

    Changed to avoid Bloodhound Exploit warning
     
  3. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    About to try the fixes you suggested thanks, but please explain why you suggest unistalling spykiller and spyhunter.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi TwistedTiger,

    I advised to remove them since you mentioned having AdAware and Spybot S&D.
    Those two are far better products IMO and more honest aboyt what they can do for you.

    Regards,

    Pieter
     
  5. TwistedTiger

    TwistedTiger Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    8
    Ran all the fixes and they worked, my home page is free again. Thanks for the info and the help. :) :) :)
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
  7. k3dc

    k3dc Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    33
    Location:
    Sunny Florida
    Hi Pieter,

    Boy, you gave him some GOOD advice there! :D I tried SpyKiller on my machine one time, and I'd rather have a dose of Klez than what it did to me.. :mad:

    Those programs are both, IMHO, not worth downloading; I don't trust either of them.

    Keep up the good work.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.