Popups & Home Page Hijacked: Hijackthis Log Included

Discussion in 'adware, spyware & hijack cleaning' started by Myndrall, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. Myndrall

    Myndrall Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    2
    My friend recently linked me a "funny video" and as soon as I clicked the link I started noticing problems. My home page is gone with also tons of popups.

    I have the latest version of spybot s&d updated fully it still finds nothing, also I have tried CWShreader and still the popups survive.

    Here is my Hijack this long in hopes that some person more knowledable than myself on these matters can help me:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:12:56 AM, on 6/18/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    F:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    F:\WINDOWS\System32\nvsvc32.exe
    F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    F:\WINDOWS\system32\netki.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    F:\Program Files\QuickTime\qttask.exe
    F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Winamp3\winampa.exe
    F:\WINDOWS\system32\atldi32.exe
    F:\Program Files\Messenger\msmsgs.exe
    F:\Program Files\AIM\aim.exe
    F:\Program Files\Steam\Steam.exe
    F:\Program Files\AWS\WeatherBug\Weather.EXE
    F:\WINDOWS\System32\devldr32.exe
    F:\Program Files\Yahoo!\Messenger\ypager.exe
    F:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
    F:\WINDOWS\System32\msiexec.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Documents and Settings\Shannon\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\hufax.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hufax.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hufax.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\hufax.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hufax.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\hufax.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {705339A9-706D-B4BE-5A24-DBE10DE51732} - F:\WINDOWS\system32\wintm32.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp3\winampa.exe
    O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [atldi32.exe] F:\WINDOWS\system32\atldi32.exe
    O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] F:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Weather] F:\Program Files\AWS\WeatherBug\Weather.EXE 1
    O4 - HKLM\..\RunOnce: [crfk32.exe] F:\WINDOWS\system32\crfk32.exe
    O4 - HKLM\..\RunOnce: [netki.exe] F:\WINDOWS\system32\netki.exe
    O4 - HKLM\..\RunOnce: [iefw.exe] F:\WINDOWS\iefw.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7955.6452199074
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab



    Thank you for your time o_O o_O
     
  2. Myndrall

    Myndrall Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    2
    no one knows what my problem is? :(

    i dont want to have to reformat :'(
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.