Jump to content


Photo

Home page still hijacked/Need help


  • Please log in to reply
3 replies to this topic

#1 franky1

franky1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 05 July 2004 - 09:06 PM

I still need help. Can somebody help or direct me to help please.



I have erased some suspicious items from the registry log but my homepage continues to get hijacked and an unwanted toolbar opens on startup. I have run Spybot, Hijackthis, CWSShredder, Browser Hijack Blaster and it still happens!! Here is my latest Hijack this log. Please Help.

As an aside- My screen has color streaks, some websites like Spywareinfo takes very long to load and I have alot of popups, but I'm now using Pop up Stopper. At some point I had CWS and the shredder got it. A name I see alot and don't know if it means anything is Allaboutsearching.


Logfile of HijackThis v1.98.0
Scan saved at 9:38:29 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HIDE2D~1\CoalCast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\VIRUS PY BROWSER HIJACK\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\VIRUS PY BROWSER HIJACK\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...e.bellsouth.net
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\VIRUS PY BROWSER HIJACK\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\WINDOWS\system\band.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

Edited by franky1, 07 July 2004 - 10:00 PM.


#2 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 10 July 2004 - 07:31 PM

Hi franky1,

Thanks for being so patient :)

Make a copy of these instructions so you have them handy as the next steps need to be done in safe mode with IE closed.

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

Scan with HijackThis and place a checkmark in the box next to this entry, then press *fix checked*

O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe

Stay in safe mode and delete this entire folder and its contents:

C:\PROGRAM FILES\HIDE2D <---name of folder begins with those letters and has this file inside: CoalCast.exe Delete the entire folder & contents

Reboot back into normal mode. Scan once more with HijackThis and post a new log please...tell us how your PC is acting now.
Microsoft MVP Windows-Security 2003-2009

#3 Melissa30

Melissa30

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 September 2004 - 10:03 PM

:alarm: HELP!! :blink:
Does this sound familiar to anyone?
My browser has been hijacked to" about:blank". I keep getting pop up ads from "Only The Best" and also from "Messenger Service". Everytime I turn on my PC...it starts logging on to the internet on its own.
I have ran
1. Adaware se
2. About Buster
3. HighJack This
4. SpyBot
5. Spysweeper
6. My Nortonw/ updates
and I keep having the same problem. I can't get rid of it!! :ugh:
I checked my Add/Remove Programs and found 3 things loaded onto my pc w/o my permission and on top of that, I cannot uninstall them. They are as follows:
1. Home Search Assistent
2. Shopping Wizard
3. Search Extender
Does anyone have detailed information that will help me unistall these programs from my added programs list, have control of my browser and pc again and have them out of my life for good!
PLease Help :dumb:

#4 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 02 September 2004 - 05:39 AM

Hi Melissa,

Yes, that sounds familiar and we can help, however, please don't post your problem in someone else's thread. You need to start a new topic (see the big red letters instruction at the top of this forum) and post your HijackThis log.

DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC! START YOUR OWN


Microsoft MVP Windows-Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button