I seem to have a bug...

Discussion in 'adware, spyware & hijack cleaning' started by annie62, May 19, 2004.

Thread Status:
Not open for further replies.
  1. annie62

    annie62 Registered Member

    Joined:
    May 18, 2004
    Posts:
    6
    My about:blank home page is being changed to MSN.com. It usually happens after I delete an HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3 (this was the one I deleted yesterday). I didn't bother it when I ran Spybot tonight but I deleted all the other junk.

    Ad-aware comes up with this possible hijack attempt: HKEY_CURRENT_USER:Software
    Location:Software\Microsoft\InternetExplorer\Main "Start

    Everytime I take them off, the next time I run Ad-a or Spybot they are back.

    I have deleted MySearch by Google and cannot seem to find any other problem.

    I also seem to be running two Explorer.exe's! o_O

    All help will be greatly appreciated. I will be out of town tomorrow but will check in tomorrow night.

    annie62


    Logfile of HijackThis v1.97.7
    Scan saved at 11:52:07 PM, on 5/18/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\SYMPROXYSVC.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\SYSTEM\HPHMON03.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    D:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CALLWAVE\IAM.EXE
    C:\WINDOWS\SYSTEM\HPHIPM09.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\EXPLORER.EXE
    D:\HIJACKTHIS.EXE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=bellsouth.net:110
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSPC.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\BELLSOUTH ACCELERATOR TECHNOLOGY\PROPELAC.EXE
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ??A\WkDetect.exe
    O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\nsched32.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    O4 - User Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\nsched32.exe
    O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.accelerator.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = bellsouth.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.203.32.20
     
  2. annie62

    annie62 Registered Member

    Joined:
    May 18, 2004
    Posts:
    6
    PS: I found a RunOnce file in my Windows registry and it had a square box with an "ab" in it. I noticed below that someone else had found that on their computer. Maybe I need to just take my computer to the shopo_O
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi annie62, and welcome.

    Please do not fix anything in HijackThis yet. Wait until an Expert has had a chance to go over it and they will post the instructions on what needs to be fixed.

    In the meanwhile, please create a permanent folder somewhere on your C drive and move the Hijackthis.exe file into it. Hijackthis will create backups in the folder it is ran from, so if we should need to put anything back, we will have those backups to restore with. :)

    Regards,

    snap
     
Thread Status:
Not open for further replies.