Jump to content


Photo

Hijacker? dp.information.com


  • Please log in to reply
6 replies to this topic

#1 noratx

noratx

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 03:18 AM

I don't know if this is a hijacker, but it sure is annoying.

Wen i typing a URL that dosn't exist, i'll be redirected to dp.information.com.

I've been trying detect it with pestpartol, adaware and Hijackthis, but the programs doesn't detect this.

How do i get rid of this?

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 May 2004 - 03:21 AM

Hi,
Download "Hijack This!"
http://www.spywarein.../hijackthis.zip

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 noratx

noratx

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 07:34 AM

Ok.

Her's my log.

Logfile of HijackThis v1.97.7
Scan saved at 14:32:53, on 2004-05-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebLog Expert\WLESched.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\Live Update 2\LMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\ekort\ekort.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\PestPatrol\PPMemCheck.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\mircreal\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\TheBat\thebat.exe
C:\Documents and Settings\noratx\SendTo\NOTEPAD.EXE
C:\Program Files\GlobalSCAPE\CuteFTP Pro\cftppro.exe
C:\Program Files\GlobalSCAPE\CuteFTP Pro\TE\ftpte.exe
C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Wise for Windows Installer\wfwi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\radioseven miniplayer\Radioseven miniplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\hijackthis.exe

R3 - URLSearchHook: (no name) - Vw - (no file)
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\WINDOWS\System32\Bhoekort.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 2\LMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [ekort] C:\Program Files\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TVTool] "C:\Program Files\TVTool 9.6\TVTool.exe"
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP 7.1\NbkCtrl.exe"
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Global R&D\NetGuru] C:\PROGRA~1\NetGuru\NetGuru.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: e-kort (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} (Installer Class) - http://www.forenings...iscomsigned.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8012.3775347222
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F0B63C6D-4CDB-11D3-8CE6-CA9CFC28F360} (ZoomObj Class) - http://www.inzomia.c...les/inzomia.exe


Hope this helps you.. =)

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 May 2004 - 09:13 AM

Hi,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\Program Files\Power Scan <--this folder

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

R3 - URLSearchHook: (no name) - Vw - (no file)
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe


Restart normally and then ...

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 noratx

noratx

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 01:39 PM

That didn't helped.. =(

Here's the fresh log.

Logfile of HijackThis v1.97.7
Scan saved at 20:37:22, on 2004-05-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NovaStor\NovaBACKUP 7.1\NSENGINE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebLog Expert\WLESched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\Live Update 2\LMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\ekort\ekort.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\NovaStor\NovaBACKUP 7.1\NbkCtrl.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\PestPatrol\PPMemCheck.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
H:\mircreal\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\hijackthis.exe

R3 - URLSearchHook: (no name) - Vw - (no file)
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\WINDOWS\System32\Bhoekort.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 2\LMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [ekort] C:\Program Files\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TVTool] "C:\Program Files\TVTool 9.6\TVTool.exe"
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP 7.1\NbkCtrl.exe"
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Global R&D\NetGuru] C:\PROGRA~1\NetGuru\NetGuru.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: e-kort (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} (Installer Class) - http://www.forenings...iscomsigned.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8012.3775347222
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F0B63C6D-4CDB-11D3-8CE6-CA9CFC28F360} (ZoomObj Class) - http://www.inzomia.c...les/inzomia.exe

As you can see, i didn't get rid of:
R3 - URLSearchHook: (no name) - Vw - (no file)

But i did get rid of the:
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

though, the problem is still there...

Edited by noratx, 25 May 2004 - 01:41 PM.


#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 May 2004 - 02:40 PM

Hi,
Unless you know what these are, have HijackThis "fix" the following:

R3 - URLSearchHook: (no name) - Vw - (no file)
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\WINDOWS\System32\Bhoekort.dll
O4 - HKLM\..\Run: [ekort] C:\Program Files\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [TVTool] "C:\Program Files\TVTool 9.6\TVTool.exe"
O9 - Extra button: e-kort (HKLM)


Next, Internet Options | Programs [tab]
Click "Reset Web Settings" [button], click Apply\Ok

Reboot and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 noratx

noratx

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 03:31 PM

I know what they are, except for that "URLSearchHook".
That one dosn't go away when i try fix it in HJT.
But i'll try reset the websettings and see if that works...

Otherwise, i'll have to live with it... =(

Edit: Hmm.. wierd, this time it helped to reset the websettings.
I tried that before i came here, and it didn't worked then....

But thank you WinHelp2002 for your time and help. =)

/Rickard

Edited by noratx, 25 May 2004 - 03:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button