Jump to content


Hijacker from HELL!

  • Please log in to reply
4 replies to this topic

#1 disneycali



  • New Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 09:23 PM

Hey All,

I'm also one of the lucky ones to recently acquired this beauty (2:00am EST 06/16/04). I've read the FAQ and tried a little of everything, but it just returns. Per the forum instructions, I'm posting my HijackThis output below.

One additional note that I would like to add is the overall performance of my PC has been reduced in half. Hopefully we can get a fix for this soon. All replies are greatly appreciated!

- Jeff

Logfile of HijackThis v1.97.7
Scan saved at 10:22:55 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szaax.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://szaax.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://szaax.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\szaax.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://szaax.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\szaax.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {464EFEE1-E766-B599-42B5-E965691213DD} - C:\WINDOWS\system32\winsg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [svshostdriver] svshost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] pctspk.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [netve.exe] C:\WINDOWS\system32\netve.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8081.9441782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_2us.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedoll...age/XUpload.ocx

Edited by disneycali, 19 June 2004 - 11:18 PM.

#2 disneycali



  • New Member
  • Pip
  • 4 posts

Posted 19 June 2004 - 11:19 PM

Well, I know we aren't supposed to bump, but it's been a few days and I have no idea what page # I'm on. Another user offered $$$ which seemed to work, so I'll start with $20.00. I am also a bit further along then my initial post having followed some instructions posted by Phantom for a another user with similar problems. EZ Antivirus keeps picking up a virus that is trying to change my startpage whenever my PC goes into sleep mode. In addition, the overall computer performance is not what it used to be. Any help would be appreciated!

#3 RubbeR DuckY

RubbeR DuckY


  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 19 June 2004 - 11:29 PM

No money need :) Unless you want to donate :).

First download A:B (About:Buster) from

Next start Hijack this and tick the boxes next to these items...

O2 - BHO: (no name) - {464EFEE1-E766-B599-42B5-E965691213DD} - C:\WINDOWS\system32\winsg32.dll

Then Close all windows and hit fix.

End these processes if running

Then delete

Unzip About:Buster to your desktop and start it up. Click ok to the message that pops up. Close internet explorer and reopen it and copy everything that is in the Addressbar should start with res://. Then close Internet explorer. Hit start in my program ( A:B ) and paste the contents in the white box. Hit ok. Next start up Hijack this again and check the box next to the 02 - BHO and the .dll is random like the one above. Make sure to also delete it from your computer.

Restart your computer.

Please tell us if that fixed the problem by posting another log.

Note: If your homepage is google after restart it works!
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#4 disneycali



  • New Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 12:04 AM


Thanks for the quick reply. I no longer have those files when I run HJT. I tried restoring to an earlier point (tried 4 different points) so I could duplicate the original error, but XP won't let me. So what is the point of restore? I'm afraid I may have removed something I needed, so at this point I don't know what to do.
I moved c:\WINDOWS\system32\netve.exe to a temp folder. Should I move it back?
I also removed Java 2 Runtime Environment since EZ AV was reporting muliple viruses from that directory. Should I reinstall?
Any idea how I can remove HomeSearch Assistent from Add/Remove Programs listing?

#5 disneycali



  • New Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 10:45 PM

Here is the latest error(s) that I receive. When my computer goes into sleep mode and I come back after a few hours, there are 4 or 5 popup windows which have a similar message:

eTrust EZ Antivirus real-time protection has found that C:\System Volume Information\_restore{92ABC94D-4FDE-49EA-AE2E-EEAFAD174C7F\RP126\A0022485.reg is REG.Startpage.BU trojan.

Any thoughts?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button