Jump to content


having a problem

  • Please log in to reply
1 reply to this topic

#1 splinter



  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 02:51 PM

My browser has been hijacked. A "pop up" usually comes up after the browser opens (with animated catipillars "doing the deed") telling me spyware viruses are using my computer for replication. Spybot search & destroy finds nothing. Ad-aware finds 7 problems and after I remove them & restart, ad-aware just finds them again. Norton anti-virus auto protect is off and I cant enable it and E-mail scanning shows an error. Hijackthis values are listed below. can someone please give me advise.

Logfile of HijackThis v1.97.7
Scan saved at 3:34:31 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\luqvg.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://luqvg.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://luqvg.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\luqvg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://luqvg.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\luqvg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://google.com
O2 - BHO: (no name) - {D80CB790-5F03-3A01-0AE8-D0663537CB6F} - C:\WINDOWS\system32\mstt32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mfcyl.exe] C:\WINDOWS\mfcyl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7609.4434722222
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 stockkbroker


    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 02 July 2004 - 08:55 AM

Have you have rebooted your computer since you posted this log? You have to repost a fresh HijackThis log if you did.

Alternative Browser
This paticular variant that you are infected with is very hard to get rid of. In the interim, download an alternative browser and do not start Internet Exlorer again until the hijack problem is resolved.

http://www.mozilla.org/download.html <= Follow the link to download and install Mozilla FireFox

Edited by stockkbroker, 02 July 2004 - 09:00 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!