Web Browser Homepage Problem (HiJackThis Log Supplied)

Discussion in 'adware, spyware & hijack cleaning' started by kinetx, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. kinetx

    kinetx Registered Member

    Joined:
    May 7, 2004
    Posts:
    4
    Hey dudes, some how I got spyware onto my pc.. I've cleaned it out with Ad-Aware 6 and SpyBot, but it's taken over my browsers (IE & MYIE2) and sets the homepage to http://jetsearch.org and if I change it just changes it back.. I've cleaned out Temporary Internet Files heaps of times and still it won't go away.. here's my HiJackThis log, hopefully someone can help me.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:49:40 PM, on 28/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\SYSTEM32\runsvc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\runsvc32.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Kareem\mIRC\mirc.exe
    E:\Kareem\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ESFTP] E:\Kareem\ESftp\esftp.exe /STARTUP
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37359.7897337963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C344F572-2563-4D41-9CFA-941962AAB922}: NameServer = 203.2.75.132,198.142.0.51

    Thanks in advance :)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi kinetx,

    Update Windows and IE at earliest convenience please.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org

    O4 - HKLM\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe

    O4 - HKCU\..\Run: [runsvc32.exe] C:\WINDOWS\SYSTEM32\runsvc32.exe

    Then reboot and let me know if it was permanent this time.

    Could you please mail me a (preferably zipped) copy of:
    C:\WINDOWS\SYSTEM32\runsvc32.exe
    Use the address in my profile please.

    Regards,

    Pieter
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi kinetx,

    Thanks for the file.
    It was recognized by my scanner as Trojan.Startpage.jp

    So you can safely assume it was responsible for your hijack and delete it.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.