Please Help another Hijacked Web Browser

Discussion in 'adware, spyware & hijack cleaning' started by DanB, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. DanB

    DanB Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Australia
    Alright folks, I've never been this frustrated & not been able to fix a problem so I'm calling the experts. Short of re-formatting everything again I hope you guys can help me. I've just run Spybot, Spysweeper, Ad-Aware and CWSredder.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:22:13 PM, on 18/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
    C:\WINDOWS\system32\msgk32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\apiuh32.exe
    C:\Program Files\XviD Bitrate Calculator\XviD Bitrate Calculator.exe
    C:\Program Files\XviD Bitrate Calculator\XviD Bitrate Calculator.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\Program Files\XviD Bitrate Calculator\XviD Bitrate Calculator.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
    C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\XviD Bitrate Calculator\XviD Bitrate Calculator.exe
    C:\WINDOWS\system32\spider.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dan\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zsmct.dll/index.html#96676
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5381933F-84CC-6518-4C5B-B288D070970B} - C:\WINDOWS\system32\javagr32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [apiuh32.exe] C:\WINDOWS\apiuh32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38129.0414699074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    I've [fixed] the start and search pages numorous times and it just keeps comming back. Hope you can HELP ME!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi DanB,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\msgk32.exe
    C:\WINDOWS\apiuh32.exe

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zsmct.dll/index.html#96676

    O2 - BHO: (no name) - {5381933F-84CC-6518-4C5B-B288D070970B} - C:\WINDOWS\system32\javagr32.dll

    O4 - HKLM\..\Run: [apiuh32.exe] C:\WINDOWS\apiuh32.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\msgk32.exe
    C:\WINDOWS\apiuh32.exe
    zsmct.dll
    C:\WINDOWS\system32\javagr32.dat

    Regards,

    Pieter
     
  3. DanB

    DanB Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Australia
    Thanks Pietre

    With your advice and a bit more tinkering I finally got rid of the annoying browser hijack. I know 3 other people from different walks of life with similar problems develop in the last couple of weeks. This is becoming a major problem. Thankyou for sharing your expertise.

    Regards Dan
     
Thread Status:
Not open for further replies.