Has your browser been hijacked?

  • Thread starter Thread starter PA Bear
  • Start date Start date
P

PA Bear

Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot

These days most of us are recommending HijackThis to identify and assist in
the removal of these bad guys. Post your files to the forum mentioned on
the first URL above.

If you cannot access the page to download HijackThis, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip

If you find you need CoolWebSearch Shredder, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/cwshredder.zip
(Get a fresh copy of CWS Shredder before each use. It's updated
frequently.)

Update your virus definitions and then run a full system scan. From now on,
do both daily.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
AH-VSOP
http://forum.aumha.org/
 
Hi,
I am following your steps re: Dealing with Hijackware. I
have a silly question...when removing Root Certification
Authorities and Publishers, how do I know which
are "unknown"?
Thanx
 
Hi,
Copied are the contents of my HijackThis log. I would
appreciate advice on what should be removed.

Thank you
Michelle

Logfile of HijackThis v1.97.3
Scan saved at 10:36:55 PM, on 10/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\primesoft\safesearch\safesearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis
[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.canada.com/vancouver/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://ca3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://ca3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://ca.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program
Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32
\dumprep 0 -k
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program
Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SafeSearch] c:\program
files\primesoft\safesearch\safesearch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program
Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program
Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: ZoneAlarm.lnk = C:\Program
Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28}
(DNLCertificate Control) - http://www.fmn-
media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.o
cx
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}
(Microsoft Office Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06}
(ChainCast VMR Client Proxy) -
http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-
77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} -
http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/19dac9aa83238ad34e01/netzip/RdxIE601.
cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf
o.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37893.9109722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://active.macromedia.com/flash5/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/too
lbar/yiebio5_1_6_0.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB}
(FastSeekerToolbar Control) -
http://www.fastseeker.com/toolbar/download/FastSeekerSetup
..cab
 
Hi Michelle - This isn't really the best forum to post this to. You kinda
need to know what the parasite(s) is/are before you can do much about fixing
them except to apply some general tools like AdAware and/or SpyBot S&D (see
below). Here's what you need to do (part of which you've already gotten
to):

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click
the Config button, then Misc Tools and click on Generate StartupList.log
which will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files a message asking for assistance,
Someone will answer with detailed instructions for the removal of your
parasite(s).



For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm


Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.

See if any of this helps and post back with your results.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
Michelle said:
Hi,
Copied are the contents of my HijackThis log. I would
appreciate advice on what should be removed.

Thank you
Michelle

Logfile of HijackThis v1.97.3
Scan saved at 10:36:55 PM, on 10/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\primesoft\safesearch\safesearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis
[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.canada.com/vancouver/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://ca3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://ca3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://ca.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program
Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32
\dumprep 0 -k
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program
Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SafeSearch] c:\program
files\primesoft\safesearch\safesearch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program
Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program
Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: ZoneAlarm.lnk = C:\Program
Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28}
(DNLCertificate Control) - http://www.fmn-
media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.o
cx
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}
(Microsoft Office Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06}
(ChainCast VMR Client Proxy) -
http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-
77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} -
http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/19dac9aa83238ad34e01/netzip/RdxIE601.
cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf
o.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37893.9109722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://active.macromedia.com/flash5/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/too
lbar/yiebio5_1_6_0.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB}
(FastSeekerToolbar Control) -
http://www.fastseeker.com/toolbar/download/FastSeekerSetup
.cab


-----Original Message-----
Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot

These days most of us are recommending HijackThis to identify and assist in
the removal of these bad guys. Post your files to the forum mentioned on
the first URL above.

If you cannot access the page to download HijackThis, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/h ijackthis.zip

If you find you need CoolWebSearch Shredder, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/c wshredder.zip
(Get a fresh copy of CWS Shredder before each use. It's updated
frequently.)

Update your virus definitions and then run a full system scan. From now on,
do both daily.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
AH-VSOP
http://forum.aumha.org/

.
Click to expand...
Click to expand...
 
As Jim Byrd points out (and I did, too):

Among the suspicious listing are:
c:\program files\primesoft\safesearch\safesearch.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O4 - HKLM\..\Run: [SafeSearch] c:\program
files\primesoft\safesearch\safesearch.exe
Click to expand...
Click to expand...
[above grouped together for this reply]
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
[not necessarily spyware (opinions vary) but Yahoo Companion toolbar *can*
interfere with IE and Windows]
[aka HuntBar; see http://www.doxdesk.com/parasite/HuntBar.html ]

Further observations:

I see you have both Ad-Aware and Spybot installed. Do you know that you
must always seek updates for both of these before each and every use, even
"right out of the box"? The same goes for HijackThis (though finding the
Update button is fairly difficult).

Do you use Netscape as well as IE? If not, you have no need for QuickTime.
If you do, it's not necessary to have QuickTime load at startup.

Again, post to http://forums.spywareinfo.com/. Several MS MVPs "hang out"
there and reply to posts.
--
~PA Bear
Hi,
Copied are the contents of my HijackThis log. I would
appreciate advice on what should be removed.

Thank you
Michelle

Logfile of HijackThis v1.97.3
Scan saved at 10:36:55 PM, on 10/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\primesoft\safesearch\safesearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local
Settings\Temp\Temporary Directory 1 for hijackthis
[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.canada.com/vancouver/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://ca3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://ca3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://ca.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: SafeSearch - {00000000-0000-0000-0000-
000000000001} - C:\WINDOWS\System32\safesearch.dll
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
\igfxtray.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program
Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32
\dumprep 0 -k
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program
Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SafeSearch] c:\program
files\primesoft\safesearch\safesearch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program
Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program
Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: ZoneAlarm.lnk = C:\Program
Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28}
(DNLCertificate Control) - http://www.fmn-
media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.o
cx
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089}
(Microsoft Office Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06}
(ChainCast VMR Client Proxy) -
http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-
77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} -
http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/19dac9aa83238ad34e01/netzip/RdxIE601.
cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.inf
o.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37893.9109722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://active.macromedia.com/flash5/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/too
lbar/yiebio5_1_6_0.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB}
(FastSeekerToolbar Control) -
http://www.fastseeker.com/toolbar/download/FastSeekerSetup
.cab


-----Original Message-----
Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot

These days most of us are recommending HijackThis to identify and
assist in the removal of these bad guys. Post your files to the forum
mentioned on the first URL above.

If you cannot access the page to download HijackThis, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/h ijackthis.zip

If you find you need CoolWebSearch Shredder, use this link:
http://216.180.252.218/~spywareinfo.com/downloads/tools/c wshredder.zip
(Get a fresh copy of CWS Shredder before each use. It's updated
frequently.)

Update your virus definitions and then run a full system scan. From
now on, do both daily.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
AH-VSOP
http://forum.aumha.org/

.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top