newbie. Hijacked 'page cannot be displayed'

Discussion in 'adware, spyware & hijack cleaning' started by Roy Gardiner, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. Roy Gardiner

    Roy Gardiner Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    On entering an unknown URL this page is displayed:

    C:\Documents and Settings\Administrator\Local Settings\Temp\thePartCreative.htm#http://www.wilderssecurity.xxx/

    with the unknown URL at the end. If I attempt to use Windows Explorer to find this page, IE shuts down. It's probably come from those Fine Folk at LOP or MYSEARCHNOW, since they've caused most of my other problems (now fixed). I've used Spybot and Adaware. This is my HijackThis log:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6w1b81hv.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6w1b81hv.slt\prefs.js)
    O2 - BHO: WebXM Browser Helper - {0BEC4479-969E-4964-B035-66114A88112D} - C:\Program Files\Watchfire\WebQA\WFIIeBho.dll
    O2 - BHO: (no name) - {5145A613-B3A5-061F-FE7F-6F3938932B5C} - C:\PROGRA~1\AnteSize\EncJugs.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [COMSSTA.EXE] COMSSTA.EXE START
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [IMNNQ] nqdetach.exe imnss.exe start server
    O4 - HKLM\..\Run: [IMNNQ NetQ Web Server] nqdetach.exe httpdl.exe -r C:\PROGRA~1\IBM\IMNNQ\httpd.cnf
    O4 - HKLM\..\Run: [IMNNQ DBCS] nqdetach.exe imqss.exe -start dbcshelp
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [CFI] C:\WINDOWS\CFI.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Show4] C:\PROGRA~1\GRIMIN~1\datadrive.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.57-deleon/GoogleNav.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF7917D-F122-44A2-AB39-82BDEB7B2EC9}: NameServer = 213.120.62.102 213.120.62.103

    No doubt it's a shambolic mess :mad: so all suggestions gratefully received.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Roy :)

    Yes, you're quite right

    Have only HijackThis running and fix :

    O2 - BHO: (no name) - {5145A613-B3A5-061F-FE7F-6F3938932B5C} - C:\PROGRA~1\AnteSize\EncJugs.dll

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [CFI] C:\WINDOWS\CFI.exe
    O4 - HKLM\..\Run: [Show4] C:\PROGRA~1\GRIMIN~1\datadrive.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

    Restart the PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\CFI.exe <- this file
    C:\PROGRA~1\GRIMIN~1\datadrive.exe <- this file + fodler (you did not post the complete hijackthis log so i can't see the running processes, but look for a folder starting with GRIMIN in program files and remove)
    C:\Program Files\AutoUpdate\ <- this folder

    Clean out temp internet files as well

    Restart again in normal mode

    Do you recognize this one? :

    O4 - HKLM\..\Run: [COMSSTA.EXE] COMSSTA.EXE START

    Hope this helps

    Cheers,
     
  3. Roy Gardiner

    Roy Gardiner Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    Thanks for your help. I notice you suggest I remove some Logitech programs; are they fakes? I have a Logitech wireless keyboard and mouse.
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Roy,

    Nah, it's just not needed at startup. Just some update and new product checker.

    Hope all is well again

    Cheers,
     
  5. Roy Gardiner

    Roy Gardiner Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    6
    OK thank you Mr Unzy one of the removals seemed to do the trick. I wonder which?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    My money is on the datadrive.exe ;)

    Pieter
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    That makes two of us Pieter :)

    Glad all is well again Roy ;)

    take care

    Cheers,
     
Thread Status:
Not open for further replies.