Jump to content


Photo

IE gets redirected, hijackthis log please check!


  • Please log in to reply
3 replies to this topic

#1 mwmah

mwmah

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 02:39 AM

Hi

I tried spybot search and destroy, adaware, pest patrol and norton antivirus.
Still having problems with my internet explored. I keep getting redirected to other sites with tons of pop ups.
Anyhelp will be appreciated!


Logfile of HijackThis v1.97.7
Scan saved at 10:03:26 PM, on 6/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\TEMP\PestPatrol\PestPatrol\PPMemCheck.exe
C:\TEMP\PestPatrol\PestPatrol\CookiePatrol.exe
C:\TEMP\PestPatrol\PestPatrol\PPControl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\DU Meter\DUMETER.EXE
C:\WINNT\system32\wisptis.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...es/CAAB0103.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.c...es/CAAB0103.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lar] C:\WINNT\system32\llass.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\TEMP\PestPatrol\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\TEMP\PestPatrol\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\TEMP\PestPatrol\PestPatrol\PPControl.exe
O4 - HKLM\..\RunServices: [lar] C:\WINNT\system32\llass.exe
O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7881.9275694444
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ler/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 09:30 AM

Hi,

I tried spybot search and destroy, adaware, pest patrol and norton antivirus

Are you sure? As NAV should have picked these up:
llass.exe = BKDR_LARSLP.A :alarm:
Note: BKDR_LARSLP.A is due to not patching your machine via Windows Update.

Mstask32.exe = Backdoor.Kol :alarm:
window.exe = Trojan.Mitglieder.J :alarm:

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll
O4 - HKLM\..\Run: [lar] C:\WINNT\system32\llass.exe
O4 - HKLM\..\Run: [Mstask32driver] Mstask32.exe
O4 - HKLM\..\RunServices: [lar] C:\WINNT\system32\llass.exe
O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

c:\winnt\sr.dll <--this file
C:\WINNT\system32\llass.exe <--this file
Mstask32.exe <--this file - locate via Start | Search
C:\WINNT\system32\window.exe <--this file

Restart normally and then ...

"Flush System Restore" (see "How To" below)

Basically turn off System Restore, reboot, run a full (updated) NAV scan, reboot and turn System Restore back on and create a new Restore Point.

How to configure Norton AntiVirus to scan all files

After the above ... visit Windows Update and install all the "Critical Updates"

Then follow-up with the above articles for any other needed changes.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 mwmah

mwmah

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2004 - 01:28 AM

hey dude!!

Thanks for all the help WinHelp2002.
Followed your instructions exactly and worked like a charm... however, I didnt do the flush system restore. Windows 2000 doesn't have that option and I didn't know how.

Here's my hopefully untainted hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 12:27:02 AM, on 6/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\TEMP\PestPatrol\PestPatrol\PPMemCheck.exe
C:\TEMP\PestPatrol\PestPatrol\CookiePatrol.exe
C:\TEMP\PestPatrol\PestPatrol\PPControl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\HijackThis.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...es/CAAB0103.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.weather.c...es/CAAB0103.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\TEMP\PestPatrol\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\TEMP\PestPatrol\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\TEMP\PestPatrol\PestPatrol\PPControl.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7881.9275694444
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ler/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 11 June 2004 - 06:56 AM

Hi,
Your log looks clean now ... good job!

Windows 2000 doesn't have that option

Yeah you're right ... sorry 'bout that. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button