• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
JoeR

Cool Web Search on WIndows XP

2 posts in this topic

My Computer has been hijacked. I have read the FAQ and followed all the steps that you recommend to remove the hijacker including running CWSHredder, Ad-Aware etc. I ran Hijack this and removed all of the unwanted entries. When I start up internet explorer everything is fine for a few minutes then my home page is changed to about:blank and I get popups. When I run hijack this there is a new BHO entry.

 

Here is the latest hijack this log:

 

Logfile of HijackThis v1.98.2

Scan saved at 1:00:34 PM, on 8/19/04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\apirs32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\NOTEPAD.EXE:jnsnz

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Larry Ross\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {427792FE-C50B-E431-ABCE-3735EA006792} - C:\WINDOWS\system32\apibr32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [crad.exe] C:\WINDOWS\system32\crad.exe

O4 - HKLM\..\Run: [apirs32.exe] C:\WINDOWS\apirs32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F31975FC-238E-4FFF-B68E-EF8B58D61EDC}: NameServer = 206.47.244.102 206.47.244.12

 

As you can see a new BHO entry (apibr32.dll) has been created.

 

Any help that you can give me would be much appreciated.

Share this post


Link to post
Share on other sites

Hi JoeR,

 

Lets run the new version Ad-Aware SE for a full scan instrucitons and download here: http://forums.spywareinfo.com/index.php?showtopic=11150

-Reboot after scan

 

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. This will give you a permanent spot to store backups, and also allievate clutter.

 

Run a scan of Hijackthis and place a Make sure ALL Windows and browsers are closed when running hijackthis.

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {427792FE-C50B-E431-ABCE-3735EA006792} - C:\WINDOWS\system32\apibr32.dll

 

O4 - HKLM\..\Run: [crad.exe] C:\WINDOWS\system32\crad.exe

O4 - HKLM\..\Run: [apirs32.exe] C:\WINDOWS\apirs32.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

 

*optional fix*

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants.

 

Reboot into Safe mode instructions here: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

 

Then show all hidden files instructions here: http://service1.symantec.com/SUPPORT/tsgen...002092715262339

 

Navigate to the following directories and delete all in bold:

C:\WINDOWS\system32\crad.exe

C:\WINDOWS\apirs32.exe

 

-Reboot

 

Run a new scan of Hijackthis and post a new log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0