• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
moedog97

Hijacked computer

4 posts in this topic

Hello-I have read the FAQ and followed all instructions. Yesterday, I ran spybot and after doing so, my browser worked fine. However, this morning when I loaded IE, I was again directed to a strange website and there is a strange toolbar at the top of my screen. I ran spybot again and it told me my computer is clean. Any help would be much appreciated.

 

Chuck

 

Below is my hijack this file:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:33:24 PM, on 7/29/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\MMKeybd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\WINDOWS\SYSTEM32\tbctray.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\America Online 8.0\aoltray.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\MSAC-FD1\MSSTAT.EXE

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Netropa\Traymon.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Documents and Settings\Chuck Carlson\My Documents\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://zqhphkgkllnmvh.com/Oynf_9OKh6rfndqX...10qIbDVs8c.html

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\CHUCKC~1\MYDOCU~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [title drv] C:\PROGRA~1\INSIDE64\creative open.exe

O4 - HKLM\..\Run: [user Save Close Bash] C:\Documents and Settings\All Users\Application Data\great move user save\Five Wait.exe

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Global Startup: Memory Stick Monitor.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O15 - Trusted Zone: *.mercer.com

O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.008...eetnoagent7.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083042388717

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/2303545fc19eaf8eec00/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://www.webex.com/client/webex/atbootie.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8011.8095486111

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://imbum.com/Imbum_bw.cab

O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://eroom.wwwhr.com/eroomsetup/client.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{31895F58-7B4C-448D-AF95-7AEBC3C0C291}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\..\{31895F58-7B4C-448D-AF95-7AEBC3C0C291}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Please download Lspfix

Unzip and run it. Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.

You will have to click the "I know what I'm doing" button.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing. The items in Green are optional fixes.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://zqhphkgkllnmvh.com/Oynf_9OKh6rfndqX...10qIbDVs8c.html

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

 

O4 - HKLM\..\Run: [title drv] C:\PROGRA~1\INSIDE64\creative open.exe

O4 - HKLM\..\Run: [user Save Close Bash] C:\Documents and Settings\All Users\Application Data\great move user save\Five Wait.exe

O15 - Trusted Zone: *.mercer.com

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/2303545fc19eaf8eec00/netzip/RdxIE.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://imbum.com/Imbum_bw.cab

Reboot and delete

 

files

C:\PROGRA~1\INSIDE64\creative open.exe

 

folders

C:\Documents and Settings\All Users\Application Data\great move user save

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Hello-Thank you very much for the help. I had to go into safe mode to delete the following:

 

c:\program~1\inside64\creative open.exe

 

and

 

c:\documents and settings\all users\application data\great move user save

 

but I was able to do so.

 

Here is my updated hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:24:11 PM, on 7/29/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe

C:\WINDOWS\wanmpsvc.exe

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\MMKeybd.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\WINDOWS\SYSTEM32\tbctray.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\MSAC-FD1\MSSTAT.EXE

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Netropa\Traymon.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Chuck Carlson\My Documents\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.democracynow.org/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\CHUCKC~1\MYDOCU~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Global Startup: Memory Stick Monitor.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.008...eetnoagent7.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083042388717

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8011.8095486111

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thanks again!

 

Chuck

Share this post


Link to post
Share on other sites

There are two items in the running processes thit that should not be there

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe

 

C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe

 

This is the Norton protected recycle bin, and nothing should be running from there.

As a double check, get an on line scan at either Housecall or Panda A/V, and let it fix everything it finds.

 

As I don't use Norton, I do not know how the protected recycle bin is emptied, but if you are uncertain, the Help file should tell you.

 

Please do that, and post an updated Hijack this log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0