Jump to content


Photo

My home page has been hijacked ..


  • Please log in to reply
7 replies to this topic

#1 Cardinal23

Cardinal23

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 03 July 2004 - 08:00 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:55:44 PM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINDOWS\chrgUtil.exe
C:\Program Files\Common Files\ExpressLink\REMINDER.EXE
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\ExpressLink Web Accelerator\ExpressLink.exe
C:\Program Files\Jetico\BestCrypt\BCResident.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Google\ggviewer81-91.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Downloads\MalWare defenses\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - DF
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [\\DFESOFTWARE\EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P37 "\\DFESOFTWARE\EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [\\DFESOFTWARE\EPSON Stylus C84 Series,1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P39 "\\DFESOFTWARE\EPSON Stylus C84 Series,1" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [USB Charger Utility] chrgUtil.exe
O4 - HKLM\..\Run: [ExpressLinkReminder] "C:\Program Files\Common Files\ExpressLink\REMINDER.EXE" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Program Files\Jetico\BestCrypt\BestCrypt.exe
O4 - Global Startup: ExpressLink Web Accelerator.lnk = C:\Program Files\ExpressLink Web Accelerator\ExpressLink.exe
O4 - Global Startup: Map_FG_Drives.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: subst_O_P_Drives.bat
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ExpressLink Web Accelerator\ExpressLink.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ExpressLink Web Accelerator\ExpressLink.exe/227
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\progra~1\expres~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\expres~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\expres~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\expres~1\sliplsp.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1083627696785
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meethere.web...bex/ieatgpc.cab

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 04 July 2004 - 10:39 AM

Cardinal23,

Are all these open threads of yours for the same PC?

We need you to have just one open thread. Hit ADD REPLY, not NEW TOPIC.

Which of these may we close? Or should we merge them all together?

Please evaluate this HijackThis log
BHO is hijacking my home-page
Can't check 'Enable 3rd-party browser extensions'
I need help. Here's my HijackThis log file.

See the large notice at the top of this forum Please stay with your original topic when posting follow up log files.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 Cardinal23

Cardinal23

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 July 2004 - 11:01 AM

At this point, I think it would be best to close them all.
They were actually for 2 separate incidents.
Your FAQ says to "Click Here" if your post hasn't been responded to in 24 hours. That "Click Here" link was not working. (I understand this is a volunteer-powered site and is incredibly busy)
Perhaps, in closing, you can direct me to an article that tells me how to process my own HijackThis log.
Best regards and thank you. David

#4 Cardinal23

Cardinal23

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 July 2004 - 11:03 AM

More correctly, they were for 2 different computers.
In the future, I will think: "One thread per computer".
But yes, delete them all.
I understand that your site is quite busy. I had been operating under the assumption that "a post would be responded to within 24 hours or it would never be responded to." Is that correct?
Thanks.

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 04 July 2004 - 11:14 AM

I understand that your site is quite busy.  I had been operating under the assumption that "a post would be responded to within 24 hours or it would never be responded to."  Is that correct?
Thanks.

No - our intention is to get around to all of them eventually.

That link was maintained by a Trusted Advisor who went on vacation and I guess deleted his topic.

Your other threads closed as requested.

See Pinned: Analyze your own HijackThis log

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 Cardinal23

Cardinal23

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 July 2004 - 11:31 AM

I know you are extremely busy, but please allow me to make one statement.
I've been "in computers" since 1981. I make my living doing programming, consulting, and tech support. As corny as it sounds, it bring tears to my eyes when I personally evaluate the service you techo-warriors donate.

I maintain "for every asshole there are several good people".

I have been trying to make a donation but I can't. That link doesn't work.

Earlier someone asked me to join the team of "answerers". I'm thinking about it. That is a lot of responsibility! But, I'm thinking about it - of course, you guys would have to want me, even if I agreed to try.

Thank you, thank you, thank you.

David

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 04 July 2004 - 11:50 AM

Earlier someone asked me to join the team of "answerers".  I'm thinking about it.  That is a lot of responsibility!  But, I'm thinking about it - of course, you guys would have to want me, even if I agreed to try.

All are welcome, Cardinal23.
No obligations whatever if you choose to just lurk in Boot Camp and not continue with the training...
http://www.spywarein...hp?showtopic=34

Re donation - Mike thought he fixed that?
http://www.spywarein...indpost&p=47134

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#8 Cardinal23

Cardinal23

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 July 2004 - 12:39 PM

Nope. Still can't donate.
Are there people / organizations who are determined to kill this site? I would not be surprised to learn there were. Some people seem to go to great lengths to impose their immoral plans on the innocent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button