Jump to content



  • Please log in to reply
3 replies to this topic

#1 jenkahl



  • New Member
  • Pip
  • 3 posts

Posted 05 July 2004 - 11:26 PM

:wtf: Just got a brand new laptop a month ago. I'm running windows xp with service pack 1 in NTFS format. I just had my first browser hijacking a couple of weeks ago. I thought all I needed to protect from this type of stuff was norton anti-virus. Yeah, right. In trying to remove this problem for the last two weeks I've learned that you need about 3 additional programs at the same time. Anyway, I've purchased and installed Xoftspy, and BHO Demon, CWShredder and HiJack This were freeware. The first time I ran BHO Demon it kept coming up with suspicious .dll files which I would delete and my browser would return to normal but as soon as I rebooted, a new suspicious .dll file would take it's place. So far I've deleted gnona.dll, abna.dll, ljkgooa.dll, and eja.dll. I then ran Xoftspy and it found several things. All were detected and deleted with no trouble except for CWS.mrhop. It keeps coming back so obviously the infection is not being completely removed. My homepage is staying put now but if I type the name of a webpage that doesn't exist I again get redirected to http://s1di.d8t.biz/...x.php?aid=20038. The list of variants that Shredder checks for does not seem to include mrhop so it finds nothing and when I try to update the software, it says it can't connect to the server. I unplugged my computer from the internet and booted up in safe mode and used HiJack This to generate the following log. I have spent countless hours trying to remedy this myself now and I can't take it anymore. I should be spending time with my daughter, not with this mess. I know you guys probably have families too and feel the same way buy I would appreciate any help you could offer. I wish countless atrocities and eternal doom upon the people who create these malicious codes.

Logfile of HijackThis v1.98.0
Scan saved at 10:40:20 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\Jennifer Kahl\My Documents\My Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\ScanSoft\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#2 jenkahl



  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 12:34 PM

I don't want to be overly optimistic but I think I may be OK now. I've been reading multiple posts in your forum for weeks now that were full of potential fixes. I also found a tutorial for how to use HiJackThis that was very helpful because the program just looks like jibberish until you know what you're looking for. I uninstalled Xoftspy because apprently it's a fluke. I purchased and intalled the full version of Adaware and updated to the most current version of Spybot. I also ran and installed some things like APM and hiving.bat. I learned how to take control of suspicious files and delete them. This whole process, although extremely irritating and time consuming has turned out to be quite a learning experience. I will post again in a few days to say either all is well or it has returned. I don't want to post a happy smiley face because I'm afraid I might jink myself.

#3 jenkahl



  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 12:05 PM

Well, it's been a week now and still no sign of re-infection. I feel happy :D using my computer again. Thank you to the people at SWI who maintain this website and help so many people!

#4 CEOn10ec



  • Full Member
  • Pip
  • 8 posts

Posted 16 July 2004 - 09:47 PM

Sounds like you deserve an applause
for researching and trouble-shooting the thing
on your own, too.
Way to go!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button