Re: Browser Hijacker

From: geo_somerville (geosomerville_at_discussions.microsoft.com)
Date: 06/28/04 

Date: Mon, 28 Jun 2004 12:22:01 -0700

thanks - I have tried all of this however the problem persists - I have used the hijackthis log (below) and logged on Tom Coyote however with no response. Can you assist?

Log is

Scan saved at 20:15:44, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\WINDOWS\WindowsUpd4.exe
C:\WINDOWS\SM1BG.EXE
D:\CloneCD\CloneCDTray.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\HotXXX.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\browse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: typemeal - {117A1114-6E05-6716-C71F-59DAFD110F54} - C:\PROGRA~1\MEOWEG~1\Chinace.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "D:\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HotXXX] C:\WINDOWS\HotXXX.exe -n
O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1088098829671
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.4722916667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

"No@SpaM" wrote:

>
> Yes that sounds like Spyware. Download both of these free programs:
> Spybot - http://www.safer-networking.org
> Ad-aware - www.lavasoftusa.com
>
> *Important* After you download the programs check for Updates BEFORE you
> scan. Both sites have help sections and forums if you need assistance.
> Turn OFF System Restore before you scan. Once your computer is clean you
> can turn it back on.
>
> More Tools:
> CWShredder - http://209.133.47.200/~merijn/files/CWShredder.exe
> Alternate Download site:
> CW Shredder - http://aumha.org/downloads/cwshredder.zip
>
> If you still have trouble after running all the above programs, you can get
> this program, scan your system and post your log to a forum for an expert to
> assist you. *Important* Don't try to fix anything with Hijack This-Post
> your log.
> Hijack This - http://209.133.47.200/~merijn/files/HijackThis.exe
> Alternate Download site:
> Hijack This - http://tomcoyote.com/hjt
>
> Once your system is clean check for Windows Critical Updates.
> Windows Updates - Update Windows regularly (at the very least once a
> month) - ALWAYS download Critical Updates. You can set your computer for
> automatic updates if you prefer.
>
>
> SPYWARE INFO-HELPFUL LINKS
> http://www.spywareinfo.com/~merijn/
> http://mvps.org/winhelp2002/unwanted.htm
> http://www.doxdesk.com/parasite/
> http://www3.telus.net/dandemar/index.htm
> http://www.cexx.org/noadware.htm
> http://www.aumha.org/
> http://secunia.com/
>
> FORUMS
> http://forums.tomcoyote.org/
> http://forums.spywareinfo.com/
> http://computercops.biz/forums.html
> http://boards.cexx.org/
> http://www.techsupportforums.com/
> http://forums.techguy.org/
> http://forums.net-integration.net/index.php
>
>
>
>
>
> "geo_somerville" <geo_somerville@discussions.microsoft.com> wrote in message
> news:1D8DD381-3475-4B6A-9C97-E6760A16AF4B@microsoft.com...
> > Hi - I seem to have a similar problem. My internet connection has been
> hijacked whereby my modem is disconnected and the line taken up with a
> premium rate line to another website. Each time I uninstall the program it k
> eeps coming back. I have uninstalled the program, my telephone coy have
> barred premium rate lines and I have moved over to broadband (adsl) yet the
> problem persists. It happens each time I connect - I believe this is a
> widespread problem. Any help?
> >
> > "No@SpaM" wrote:
> >
> > >
> > > More information would help you get a response. What are the symptoms?
> > > error messages? What have you tried already?
> > >
> > >
> > > "dkcracing" <dkcracing@discussions.microsoft.com> wrote in message
> > > news:34DF70A5-E8AD-43FC-8953-4D6464FCDF03@microsoft.com...
> > > > I can't seem to shake the hijacker.. any clues??
> > >
> > >
> > >
>
>
>

Quantcast