Jump to content


Photo

Browser Hijacked & Notepad not working


  • Please log in to reply
5 replies to this topic

#1 virgin_paul

virgin_paul

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 01:27 PM

I've tried Spybot, Ad-Aware, CW shredder, HijackThis, but cannot seem to shift whatever is trying to hijack my browser.
win XP Pro sp1a - all critical updates on board, I have Norton a/v and Zone alarm

I have Browser Hijack Blaster installed, and it gives repeated alerts of my homepage being changed and a BHO installed. It stops them doing their dasterdly deeds, but is really frustrating - help

I cannot open the hijackthis.log file as my notepad.exe does not appear to be working (in windows dir, i have a notepad.exe and a notepad.exe.bak !)

The following is log file after running all the above s/ware:-

Logfile of HijackThis v1.97.7
Scan saved at 19:14:08, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\lotus\wordpro\ltsstart.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Software Updates\Anti - hijack & spyware\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin Net Limited
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://*.microsoft.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B75E8257-C952-465D-98DC-A451F283E2BA}: NameServer = 194.168.4.100 194.168.8.100

Any help how to get this off my PC would be greatly appreciated.

Paul Lane :techsupport:

#2 virgin_paul

virgin_paul

    Member

  • New Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 11:22 AM

Think I may finally have solved this using sphjfix.exe that someone on here mentioned. :bounce:

The only thing is that my Notepad still doesn't work - but clicking on its application does not set zone alarm off saying that it is trying to connect to the internet. :wtf:

I've now loaded IE-SPYAD to reduce the chances of re-infection.

If someone does get around to looking at my log file (I've seen how busy you all are) and sees anything of concern, I'd be grateful for any help.
Thanks
Paul

#3 virgin_paul

virgin_paul

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 05:13 AM

Bump

#4 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 02:14 PM

At a quick glance, I didn't see any virus threat in the log file. But, to be safe, Re scan with your anti virus tools to be sure the problem is gone...then...
About repairing notepad, you may want to see the
other posts in this same forum.
You need a copy of notepad.exe in
windows dll cache and in windows system32
for it to open properly. Try copying/pasting it into these
files if it is elsewhere. ( If your notepad.exe is corrupt, then you'll need
to either run your sfc tool to retrieve it or download a new copy from www.spywareinfo.com/~merijn (In the downloads section.)
Unfortunately, notepad is one of the windows files that often gets attacked by trojans, viruses, etc. And, the trojans replace them with even more trojans.

#5 virgin_paul

virgin_paul

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 08:45 AM

terry
have managed to fix notepad - app icon on start bar had lost its "connection" with the notepad.exe file - which appears to have been fully restored by sphjfix.exe.
It now runs fine.
I have updated and re-run Norton and no threats found.

Now when I am browsing - IE-SPYAD seems to be doing its stuff - also I have made the following recommended changes to my set up:-
ie settings:

.NET framework reliant compts
run comps not signed - disable
run comps signed - prompt

Active X controls & plug ins
download signed - prompt
download unsigned - disable
initalize and script active x not marked as safe -disable
run active x controls & plug ins - enable
script active x controls marked safe - prompt

Misc.
access data sources across domains - disable
drag & drop or copy... - prompt
installation of desktop items - prompt
launching programs and files in an IFRAME - prompt
navigate sub-frames across different domaina - prompt
software chennel permissions (high safety)
userdada persistance (disable)

Scripting
allow paste ops via script - prompt
scripting of Java applets - prompt

I have removed MS Java and installed Sun Java (and enabled to work with ie)

I just have to disdable the "preview" pane in OE and I think I am there!

Many many thanks for your help.
Paul D Lane

#6 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 13 July 2004 - 01:59 PM

Sounds like you got everything under control; I'm glad!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button