Home Page Changes

Discussion in 'adware, spyware & hijack cleaning' started by jts3uga, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. jts3uga

    jts3uga Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    2
    I started out trying to remove greatsearch.biz and was succesful. My home page is now changing to xnwav.dll. I have used adaware, hijackthis and shredder using the same steps as with greatsearch. Attached is latest hijackthis log. Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 9:54:20 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\svchosd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\mssk.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpywareBlocker.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Logitech\iTouch\kbdtray.exe
    C:\WINDOWS\sysyk32.exe
    C:\Documents and Settings\John\My Documents\Hijack This\HijackThis.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\TFTP.EXE
    C:\Documents and Settings\John\My Documents\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xnwav.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnwav.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnwav.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xnwav.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xnwav.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xnwav.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LeasePlan
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {630CB7A9-1179-9906-0F1F-A818BD8572B4} - C:\WINDOWS\system32\sysqe.dll
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Settings] svchosd.exe
    O4 - HKLM\..\Run: [mssk.exe] C:\WINDOWS\system32\mssk.exe
    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\yeveng.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\John\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKLM\..\RunOnce: [javavg.exe] C:\WINDOWS\javavg.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=about:blank
    O15 - Trusted Zone: http://*.cscbak
    O15 - Trusted Zone: http://*.cscdev
    O15 - Trusted Zone: http://*.cscprod
    O15 - Trusted Zone: http://*.leaseplan.com
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E68A4C-4201-4D85-9379-4272DC716CFD}: NameServer = 207.69.188.187 207.69.188.186
     
    Last edited: Jun 22, 2004
  2. jts3uga

    jts3uga Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    2
    I have read some of the other posts. It appears that files with a dll extension are the offenders. However, they change the filename regularly. How do I clean my log and protect from future hijacks?
     
Thread Status:
Not open for further replies.