• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
virgin_paul

Browser Hijacked & Notepad not working

6 posts in this topic

I've tried Spybot, Ad-Aware, CW shredder, HijackThis, but cannot seem to shift whatever is trying to hijack my browser.

win XP Pro sp1a - all critical updates on board, I have Norton a/v and Zone alarm

 

I have Browser Hijack Blaster installed, and it gives repeated alerts of my homepage being changed and a BHO installed. It stops them doing their dasterdly deeds, but is really frustrating - help

 

I cannot open the hijackthis.log file as my notepad.exe does not appear to be working (in windows dir, i have a notepad.exe and a notepad.exe.bak !)

 

The following is log file after running all the above s/ware:-

 

Logfile of HijackThis v1.97.7

Scan saved at 19:14:08, on 08/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\BITWARE\NT\bwprnmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Browser Hijack Blaster\bhblaster.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\lotus\wordpro\ltsstart.exe

C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\System32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Software Updates\Anti - hijack & spyware\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net Limited

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Pinnacle Scheduler.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: RealGuide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O15 - Trusted Zone: http://*.microsoft.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B75E8257-C952-465D-98DC-A451F283E2BA}: NameServer = 194.168.4.100 194.168.8.100

 

Any help how to get this off my PC would be greatly appreciated.

 

Paul Lane :techsupport:

Share this post


Link to post
Share on other sites

Think I may finally have solved this using sphjfix.exe that someone on here mentioned. :bounce:

 

The only thing is that my Notepad still doesn't work - but clicking on its application does not set zone alarm off saying that it is trying to connect to the internet. :wtf:

 

I've now loaded IE-SPYAD to reduce the chances of re-infection.

 

If someone does get around to looking at my log file (I've seen how busy you all are) and sees anything of concern, I'd be grateful for any help.

Thanks

Paul

Share this post


Link to post
Share on other sites

At a quick glance, I didn't see any virus threat in the log file. But, to be safe, Re scan with your anti virus tools to be sure the problem is gone...then...

About repairing notepad, you may want to see the

other posts in this same forum.

You need a copy of notepad.exe in

windows dll cache and in windows system32

for it to open properly. Try copying/pasting it into these

files if it is elsewhere. ( If your notepad.exe is corrupt, then you'll need

to either run your sfc tool to retrieve it or download a new copy from www.spywareinfo.com/~merijn (In the downloads section.)

Unfortunately, notepad is one of the windows files that often gets attacked by trojans, viruses, etc. And, the trojans replace them with even more trojans.

Share this post


Link to post
Share on other sites

terry

have managed to fix notepad - app icon on start bar had lost its "connection" with the notepad.exe file - which appears to have been fully restored by sphjfix.exe.

It now runs fine.

I have updated and re-run Norton and no threats found.

 

Now when I am browsing - IE-SPYAD seems to be doing its stuff - also I have made the following recommended changes to my set up:-

ie settings:

 

.NET framework reliant compts

run comps not signed - disable

run comps signed - prompt

 

Active X controls & plug ins

download signed - prompt

download unsigned - disable

initalize and script active x not marked as safe -disable

run active x controls & plug ins - enable

script active x controls marked safe - prompt

 

Misc.

access data sources across domains - disable

drag & drop or copy... - prompt

installation of desktop items - prompt

launching programs and files in an IFRAME - prompt

navigate sub-frames across different domaina - prompt

software chennel permissions (high safety)

userdada persistance (disable)

 

Scripting

allow paste ops via script - prompt

scripting of Java applets - prompt

 

I have removed MS Java and installed Sun Java (and enabled to work with ie)

 

I just have to disdable the "preview" pane in OE and I think I am there!

 

Many many thanks for your help.

Paul D Lane

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0