Jump to content


Photo

Can't Shake My Web Search - Fun Tools !!


  • Please log in to reply
4 replies to this topic

#1 earllee

earllee

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 June 2004 - 02:26 PM

Here is my hijack log - Any ideas

Logfile of HijackThis v1.97.7
Scan saved at 2:12:29 PM, on 06/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINNT\System32\dmsnoalx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RGreer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://data/default.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [FPAKVC] C:\WINNT\FPAKVC.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [owlewgzozpa] C:\WINNT\System32\dmsnoalx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msgked.exe
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: WebConnect Pro 5.1.7 - http://caps.ingrammi...ebConnectDU.cab
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Office Outlook View Control) - http://activex.micro...ce/outlctlx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.3240393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scci.com
O17 - HKLM\Software\..\Telephony: DomainName = scci.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scci.com

#2 earllee

earllee

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 June 2004 - 06:56 AM

Bump

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 02:48 PM

Please download Lspfix
Unzip and run it. Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.
You will have to click the "I know what I'm doing" button.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O4 - HKLM\..\Run: [FPAKVC] C:\WINNT\FPAKVC.exe
O4 - HKLM\..\Run: [owlewgzozpa] C:\WINNT\System32\dmsnoalx.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msgked.exe

Reboot, and delete

files
C:\WINNT\FPAKVC.exe
C:\WINNT\System32\dmsnoalx.exe
C:\WINNT\System32\msgked.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 earllee

earllee

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 June 2004 - 07:49 AM

OKay, I did all suggested and I still a little weirdness going on. occasionally now the browser will just kick open and I see a message "loading" the URL it is going to is http://69.20.62.53/yyy7.html Then a few minutes later the browser will open again this time going to http://65.61.157.153...urbo/Adm/ad.htm. Like I said I've done what was suggested as well as run BpyBot and AdAware repeatedly and can't seem to shake this. Clues ??? Current HiJack log below. Thanks


Logfile of HijackThis v1.97.7
Scan saved at 7:44:55 AM, on 06/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RGreer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://data/default.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: WebConnect Pro 5.1.7 - http://caps.ingrammi...ebConnectDU.cab
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Office Outlook View Control) - http://activex.micro...ce/outlctlx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.3240393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scci.com
O17 - HKLM\Software\..\Telephony: DomainName = scci.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scci.com

#5 rpiver

rpiver

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 June 2004 - 03:00 PM

Okay I've ran into this twice with different clients of mine.

Here are the things to look for.

Depending on the version you may have to do different things


First and formost - disconnect yourself from the internet

Run Spybot, Cwshredder, Adaware or whatever spyware removal program you have to get rid of as much as possible.

Open Windows Explorer (NOT INTERNET EXPLORER)

Go to the Windows directory and look for files with the most recent date

Go to the system and system32 directory and look for files with most recent date

What you are looking for is usually an .exe file (Name varies) and a handful of .dll files (Names vary as well)

write the names of those files down

If you are running W2K or WXP you are going to have to install the recovery console.

This is done in both versions by inserting your windows disk and running winnt32 /cmdcons from the I386 directory

Go to Add/Remove Programs and look for any "weird" programs. Usually always you will find Wintools easy something (Uninstall that)

Go to the program files directory and look for any leftovers. Usually a toolbar directory and couple of other things

Run msconfig and look at everything in the startup tab. There is probably a program on two that references the offending file or one of the offending files.

Unless you have experience with the registry I would not recommend disabling any of those items in msconfig. If you do have experience editing the registry, (MAKE A BACKUP OF THE REGISTRY FIRST)
open it up and go to HKLM\software\microsoft\windows\currentversion\run
Check all the other runs as well and delete any offending keys.

Windows ME and XP users, turn off System Restore feature

After you have written the file names down reboot.

Windows 98 and ME users reboot to safe mode

XP and 2000 users
You should have an option on the startup screen for recovery console
Choose that. This will bring you to a command prompt

Some DOS knowledge required
Go the Windows and System and System32 directory
Delete the files which names you wrote down.
They may have the hidden or read only attribute enabled
Turn off those attributes (Use the attrib command)
Then delete those files

Reboot the computer and startup normally, connect your computer to the Internet

Find the lop removal tool. Just do a search in google for lop removal tool
Run the Lop removal tool

That should take care of the problem.

All of this can take anywhere from 1 to 4 hours depending on how easy it is to find everything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button