Jump to content


Hijacked!!! Please Help!

  • Please log in to reply
8 replies to this topic

#1 oomfoofoo



  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 12:41 AM

I have run Ad-aware 6.0, Spybot, Trojan Hunter, Hijackthis, cwshredder, several times each, and I have not been able to get rid of the following problems:

1. My home page is repeatedly reset to the following address: res://qwvtn.dll/index.html#37049

2. I get pop ups for Home Search, Lookfor.cc and Search-to-find, especially when I run a search on Google.

My logfile from Hijackthis is below. I'd greatly appreciate any help that you can provide. Many Thanks.


Logfile of HijackThis v1.97.7
Scan saved at 10:38:51 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 28 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwvtn.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qwvtn.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qwvtn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwvtn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qwvtn.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwvtn.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FC8A44C7-1BDB-6F6E-B17E-626C67C424F9} - C:\WINDOWS\netko.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [zunsjeksqzjrg] C:\WINDOWS\System32\oibsmo.exe
O4 - HKLM\..\Run: [sysom.exe] C:\WINDOWS\system32\sysom.exe
O4 - HKLM\..\Run: [apptt.exe] C:\WINDOWS\apptt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 sbdave



  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 01:06 AM

Looks like a few of us are getting this one. I'm having the same problems, along with this guy:

Anyone have any ideas? I too have tried EVERYTIHNG

#3 rockit



  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 06:37 AM

Hi, I've got the same problem!
home page is reset to the following address: res://puagi.dll/index.html#96676

Also get pop ups for Home Search, Lookfor.cc and Search-to-find.
Have tried all the programs here to remove the thing, but it comes back with another file name!

Anyone got anything new on this? please

#4 oomfoofoo



  • New Member
  • Pip
  • 2 posts

Posted 15 June 2004 - 08:32 PM

Well...at least I'm not alone. Misery loves company. :weep: Can anyone help us? Thanks.

oomfoofoo :

#5 browntown



  • Full Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 06:08 PM

I am having the same problems. I posted my problem in a thread last night and have yet to get any help. Now that I realize I'm not the only one looking for the answer I feel just slightly better.

Is there a way for all of our problems to be put into one thread? Maybe that confuses matter further, but I just want to be sure I know WHICH post to find the answer in, once the answer is found and posted.

I too am glad to know I'm not the only one with this problem as before this problem I thought my army of 10+ programs was 10 foot tall and bullet proof. Guess not.


#6 method311



  • Full Member
  • Pip
  • 9 posts

Posted 26 June 2004 - 06:31 PM

I have the same problem, only thing is that my home page is always set to "res://yqdxj.dll/index.html#96676". Even when I change the home page on my own, explorer only keeps that home page once, and then it's back to that other homepage. I have ad-aware as well but I haven't been able to solve this problem.

#7 TheThinWhiteDuke



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 07:11 PM

I have the same problem, only thing is that my home page is always set to "res://yqdxj.dll/index.html#96676".  Even when I change the home page on my own, explorer only keeps that home page once, and then it's back to that other homepage.  I have ad-aware as well but I haven't been able to solve this problem.

Same here. "Home Search" is the thing. Not quite sure how it got there, but my brother seems to think he may have accidentally clicked on something.

The homepage address in IE comes up as: res://befqx.dll/index.html#96676

And however many times I 'remove' it, be it with Hijack This, Ad Aware, Spybot etc.... it just respawns the next time I open IE. I run the programs again, they detect it again, it returns after the supposed deletion. Repeat Ad Naseum. Really getting to the end of my tether with it now.

Edited by TheThinWhiteDuke, 26 June 2004 - 07:12 PM.

#8 TheThinWhiteDuke



  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 07:42 PM

Okay, I've just tried something and it seems to have wiped the ****er out - I simply did a system restore from an automatic checkpoint that was put down three days ago (I'd never even entered system restore before since buying this HD a month ago).

Didn't think it would work, but the piece of shit seems to have been vanquished. Hopefully it won't pop up again and I remain cautious about proclaiming my computer totally free of it, but it hasn't appeared at all since the system restore, and I opened IE about 20 different times just to check.

Well worth trying as far as I'm concerned.

Edited by cnm, 28 July 2004 - 11:06 PM.

#9 shaunw



  • Full Member
  • Pip
  • 15 posts

Posted 26 June 2004 - 07:50 PM

Your browser hijack is being driven by a virus or trojan. If you delete the
randomly named dll then after rebooting a new one will be created. You
need some good anti-virus software with the latest data files. Delete the
virus then get rid of the hijack. If your anti-virus software doesn't find anything
then its not good enough.
I had an about:blank hijack which kept returning. Running McAfee with the
latest virus definitions found MhtRedir.gen and StartPage-DU. After these
were deleted I used hijackthis to remove the hijack and it has not returned.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button