Jump to content


Photo

Problem removing hitpointer hijack


  • This topic is locked This topic is locked
4 replies to this topic

#1 richard.brown

richard.brown

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 11:53 AM

Hi

I've run ad aware, spybot and moosoft to try and get rid of the following problem without any success. A friend of mine directed me to this site.

The problem: Each time I enter an invalid URL my browser pops up the following page http://www.hitpointe...ssredir/gb.html

I just can't seem to get rid of this. I've looked at the FAQ and started my way through the Hijack article. I now have a log but am unsure what I should or shouldn't remove. Please can someone advise me, and also reassure me that this will be OK.

I've also noticed (and I think this is since I've run moosoft) that when I log in I get a couple of error dialogs saying that something in system32 is missing. I'm not sure I have the full message now as I'm already logged in. I'm assuming something has been removed by one of these programs that is now causing problems. Any suggestions.

Richard

#2 richard.brown

richard.brown

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 11:58 AM

This is my log. I assume I use cut and paste as I can't seem to find an attach file entry. Sorry if I've done this wrong.

Logfile of HijackThis v1.97.7
Scan saved at 17:55:33, on 30/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\rit\cron\cron.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\tardisnt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\winnt\system32\sncntr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\winnt\system32\kpslcvak.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\winnt\system32\qsearch.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
\Brown-r-5\HomePC\BROWNF~1\Richard and Kim\System\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.core.hp.com;*.corp.hp.com;*.cup.hp.com;<local>
F1 - win.ini: run=c:\winnt\system32\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AccessRampMonitor] C:\WINNT\Intuit\Shared\ARMon32.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [KPSLCVAK] c:\winnt\system32\kpslcvak.exe /install
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [QSearch] c:\winnt\system32\qsearch.exe /install
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-...c/IE_plugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CAC2966-E307-44A0-BC55-398A7A8B2CB7}: NameServer = 15.203.128.26,15.195.224.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CAC2966-E307-44A0-BC55-398A7A8B2CB7}: NameServer = 15.203.128.26,15.195.224.26

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 June 2004 - 01:54 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy

F1 - win.ini: run=c:\winnt\system32\

O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [KPSLCVAK] c:\winnt\system32\kpslcvak.exe /install
O4 - HKLM\..\Run: [QSearch] c:\winnt\system32\qsearch.exe /install

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com

O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-...c/IE_plugin.cab

Reboot and delete

files
adiras.exe
c:\winnt\system32\sncntr.exe
c:\winnt\system32\kpslcvak.exe
c:\winnt\system32\qsearch.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 richard.brown

richard.brown

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 02:48 PM

Thankyou, thankyou, thankyou - that got rid of it.

Here's the new log. I realise that I missed on of the entries you suggestion for deletion - the adiras.exe. Should I do it again and remove it, or leave well alone given that things seem OK now?

Logfile of HijackThis v1.97.7
Scan saved at 20:45:28, on 30/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\rit\cron\cron.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\tardisnt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
\Brown-r-5\HomePC\BROWNF~1\Richard and Kim\System\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.atl.hp.com;*.core.hp.com;*.corp.hp.com;*.cup.hp.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AccessRampMonitor] C:\WINNT\Intuit\Shared\ARMon32.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CAC2966-E307-44A0-BC55-398A7A8B2CB7}: NameServer = 15.203.128.26,15.195.224.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CAC2966-E307-44A0-BC55-398A7A8B2CB7}: NameServer = 15.203.128.26,15.195.224.26

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 June 2004 - 05:43 PM

It would be as well to run Hijack this again, and fix that line.
Apart from that, it's a clean log. Well done.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Glad to help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button