Jump to content


Photo

Hijacked! Please help


  • Please log in to reply
1 reply to this topic

#1 mkapp

mkapp

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 July 2004 - 06:28 PM

In Add/Remove I have the following entries that I cannot remove:
Home Search Assistent; Shopping Wizard; and Search Extender

I have tried to remove them, ran Adaware 6, and about:buster. Here is my HijackThis log: Thanks for you help in advance.

Logfile of HijackThis v1.98.0
Scan saved at 4:27:34 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iezh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\atlxn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kapp\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flyve.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://flyve.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://flyve.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\flyve.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\flyve.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://flyve.dll/index.html#26512
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} - C:\WINDOWS\system32\atlwp32.dll
O4 - HKLM\..\Run: [iezh.exe] C:\WINDOWS\system32\iezh.exe
O4 - HKLM\..\RunOnce: [atlxn32.exe] C:\WINDOWS\atlxn32.exe
O4 - HKLM\..\RunOnce: [sdker32.exe] C:\WINDOWS\system32\sdker32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 25 July 2004 - 09:19 AM

Hi there,

Please do this first;

Download About:Buster;

Here

Unzip it to your desktop. DO NOT RUN IT YET!!

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


O2 - BHO: (no name) - {D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} - C:\WINDOWS\system32\atlwp32.dll

O4 - HKLM\..\Run: [iezh.exe] C:\WINDOWS\system32\iezh.exe
O4 - HKLM\..\RunOnce: [atlxn32.exe] C:\WINDOWS\atlxn32.exe
O4 - HKLM\..\RunOnce: [sdker32.exe] C:\WINDOWS\system32\sdker32.exe


Close HijackThis

Reboot into safe mode

Open About:Buster

Hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Post the report and a new HijackThis log here.
[B]


[B]Before you run HJT, do this;

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar) like this C:\HJT\HijackThis.exe. Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Edited by 12g, 25 July 2004 - 09:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button