Jump to content


Photo

Hijacked browser


  • This topic is locked This topic is locked
1 reply to this topic

#1 rmcd

rmcd

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 12:36 PM

Hello;

My father-in-law's browser has been hijacked. I've run the rest of the tools recommended by the likes of PC Mag (CWSweeper, SpyBot, etc). But this hijack remains. I can't figure it out.

HijackThis produced the following log. I'm pretty sure the R0 and R1 lines aren't good but even it I remove them they come back. Any hints would be greatly appreciated.

Regards
rmcd

Attached Files



#2 rmcd

rmcd

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 12:46 PM

I just saw a post from a while ago that posting the log is better than attaching it. Apologies for not checking far enough back. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 8:55:30 PM, on 17/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\appmk32.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\SKDAEMON.EXE
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\Pelmiced.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ntel32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\System32\SKSMAILD.EXE
C:\Documents and Settings\ted&barb\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kzxwn.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzxwn.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzxwn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kzxwn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzxwn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kzxwn.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F6CADC70-0562-1D32-3A39-D02B2793207F} - C:\WINDOWS\mslw32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ntel32.exe] C:\WINDOWS\system32\ntel32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [d3cq.exe] C:\WINDOWS\d3cq.exe
O4 - HKLM\..\RunOnce: [appmk32.exe] C:\WINDOWS\appmk32.exe
O4 - HKLM\..\RunOnce: [ipmv32.exe] C:\WINDOWS\system32\ipmv32.exe
O4 - HKLM\..\RunOnce: [atlrx.exe] C:\WINDOWS\atlrx.exe
O4 - HKLM\..\RunOnce: [sysqp32.exe] C:\WINDOWS\sysqp32.exe
O4 - HKLM\..\RunOnce: [netsv.exe] C:\WINDOWS\system32\netsv.exe
O4 - HKLM\..\RunOnce: [ntfq.exe] C:\WINDOWS\ntfq.exe
O4 - HKLM\..\RunOnce: [mfcru.exe] C:\WINDOWS\mfcru.exe
O4 - HKLM\..\RunOnce: [d3hf32.exe] C:\WINDOWS\system32\d3hf32.exe
O4 - HKLM\..\RunOnce: [mfcaw32.exe] C:\WINDOWS\mfcaw32.exe
O4 - HKLM\..\RunOnce: [addgb32.exe] C:\WINDOWS\system32\addgb32.exe
O4 - HKLM\..\RunOnce: [addxq.exe] C:\WINDOWS\system32\addxq.exe
O4 - HKLM\..\RunOnce: [javawh.exe] C:\WINDOWS\javawh.exe
O4 - HKLM\..\RunOnce: [appaz32.exe] C:\WINDOWS\appaz32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button