Jump to content


Cool Web Search on WIndows XP

  • Please log in to reply
1 reply to this topic

#1 JoeR



  • New Member
  • Pip
  • 1 posts

Posted 19 August 2004 - 12:17 PM

My Computer has been hijacked. I have read the FAQ and followed all the steps that you recommend to remove the hijacker including running CWSHredder, Ad-Aware etc. I ran Hijack this and removed all of the unwanted entries. When I start up internet explorer everything is fine for a few minutes then my home page is changed to about:blank and I get popups. When I run hijack this there is a new BHO entry.

Here is the latest hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 1:00:34 PM, on 8/19/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Larry Ross\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {427792FE-C50B-E431-ABCE-3735EA006792} - C:\WINDOWS\system32\apibr32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [crad.exe] C:\WINDOWS\system32\crad.exe
O4 - HKLM\..\Run: [apirs32.exe] C:\WINDOWS\apirs32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F31975FC-238E-4FFF-B68E-EF8B58D61EDC}: NameServer =

As you can see a new BHO entry (apibr32.dll) has been created.

Any help that you can give me would be much appreciated.

#2 DawsonV5


    The Lurvely

  • Retired Staff - Helper
  • PipPipPip
  • 230 posts

Posted 28 August 2004 - 01:59 AM

Hi JoeR,

Lets run the new version Ad-Aware SE for a full scan instrucitons and download here: http://forums.spywar...showtopic=11150
-Reboot after scan

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. This will give you a permanent spot to store backups, and also allievate clutter.

Run a scan of Hijackthis and place a Make sure ALL Windows and browsers are closed when running hijackthis.
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {427792FE-C50B-E431-ABCE-3735EA006792} - C:\WINDOWS\system32\apibr32.dll

O4 - HKLM\..\Run: [crad.exe] C:\WINDOWS\system32\crad.exe
O4 - HKLM\..\Run: [apirs32.exe] C:\WINDOWS\apirs32.exe

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

*optional fix*

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants.

Reboot into Safe mode instructions here: http://service1.syma...001052409420406

Then show all hidden files instructions here: http://service1.syma...002092715262339

Navigate to the following directories and delete all in bold:


Run a new scan of Hijackthis and post a new log.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!