Jump to content


Photo

Home Page redirected


  • Please log in to reply
11 replies to this topic

#1 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 June 2004 - 09:24 PM

Ive tryed all the software advised b4 posting and still it eventually comes back to redirect me to a search page :(

Logfile of HijackThis v1.97.7
Scan saved at 03:19:41, on 25/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\D drive apps\eMule\emule.exe
C:\Program Files\AareSoft\AareAVI2VCDConverter\avi2vcd.exe
C:\Program Files\AareSoft\AareAVI2VCDConverter\avi2vcd.exe
C:\Program Files\AareSoft\AareAVI2VCDConverter\avi2vcd.exe
C:\Documents and Settings\gary williamson\Desktop\Internet\HiJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [ntpl32.exe] C:\WINDOWS\system32\ntpl32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com


Many thx for any help

Edited by garrion, 24 June 2004 - 09:26 PM.


#2 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 02 July 2004 - 04:35 PM

Help please

#3 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 03:37 AM

Hello garrion,

Sorry for the long wait. If you still have your concern, please try this:

Please download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

(There is a newer version of HJT. You can get it here )

#4 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 06:14 PM

Thanks for replying :)

ok heres the AboutBuster log
-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\abapvx.dat
Removed! : C:\WINDOWS\adjbar.dat
Removed! : C:\WINDOWS\agipfd.dat
Removed! : C:\WINDOWS\akcouw.dat
Removed! : C:\WINDOWS\alcoei.dat
Removed! : C:\WINDOWS\amgxbe.dat
Removed! : C:\WINDOWS\apxfwn.dat
Removed! : C:\WINDOWS\aqpxzn.dat
Removed! : C:\WINDOWS\awymxq.dat
Removed! : C:\WINDOWS\ayloce.dat
Removed! : C:\WINDOWS\ayuhhc.dat
Removed! : C:\WINDOWS\baiufo.dat
Removed! : C:\WINDOWS\baorxv.dat
Removed! : C:\WINDOWS\bbkxuw.dat
Removed! : C:\WINDOWS\bgwzqq.dat
Removed! : C:\WINDOWS\bifvjw.dat
Removed! : C:\WINDOWS\bmecnv.dat
Removed! : C:\WINDOWS\bnxpar.dat
Removed! : C:\WINDOWS\bozmfz.dat
Removed! : C:\WINDOWS\brfvhe.dat
Removed! : C:\WINDOWS\bsvhqx.dat
Removed! : C:\WINDOWS\btorzd.dat
Removed! : C:\WINDOWS\bvgpfn.dat
Removed! : C:\WINDOWS\bvvolm.dat
Removed! : C:\WINDOWS\bwcprm.dat
Removed! : C:\WINDOWS\bwzdxk.dat
Removed! : C:\WINDOWS\bymrhy.dat
Removed! : C:\WINDOWS\cafmft.dat
Removed! : C:\WINDOWS\cbclmu.dat
Removed! : C:\WINDOWS\ccyaey.dat
Removed! : C:\WINDOWS\cfayhr.dat
Removed! : C:\WINDOWS\chlenb.dat
Removed! : C:\WINDOWS\cngolo.dat
Removed! : C:\WINDOWS\codpbi.dat
Removed! : C:\WINDOWS\cpgptp.dat
Removed! : C:\WINDOWS\csekuj.dat
Removed! : C:\WINDOWS\ctjuic.dat
Removed! : C:\WINDOWS\cwjqjb.dat
Removed! : C:\WINDOWS\cwkqak.dat
Removed! : C:\WINDOWS\dhcahc.dat
Removed! : C:\WINDOWS\dikise.dat
Removed! : C:\WINDOWS\dmdvqz.dat
Removed! : C:\WINDOWS\dopyyv.dat
Removed! : C:\WINDOWS\doxzus.dat
Removed! : C:\WINDOWS\dpmvlg.dat
Removed! : C:\WINDOWS\dttxwn.dat
Removed! : C:\WINDOWS\eaaapb.dat
Removed! : C:\WINDOWS\efidkx.dat
Removed! : C:\WINDOWS\efkpnq.dat
Removed! : C:\WINDOWS\efuxpl.dat
Removed! : C:\WINDOWS\ehdpdp.dat
Removed! : C:\WINDOWS\eixezy.dat
Removed! : C:\WINDOWS\ejjlh.dat
Removed! : C:\WINDOWS\enfatk.dat
Removed! : C:\WINDOWS\eqfdxo.dat
Removed! : C:\WINDOWS\esbffi.dat
Removed! : C:\WINDOWS\euvwgy.dat
Removed! : C:\WINDOWS\eycmro.dat
Removed! : C:\WINDOWS\ezutxc.dat
Removed! : C:\WINDOWS\fctnwi.dat
Removed! : C:\WINDOWS\fczduc.dat
Removed! : C:\WINDOWS\feeibi.dat
Removed! : C:\WINDOWS\ferasw.dat
Removed! : C:\WINDOWS\fgfqne.dat
Removed! : C:\WINDOWS\fheech.dat
Removed! : C:\WINDOWS\fiaimr.dat
Removed! : C:\WINDOWS\fjcjnd.dat
Removed! : C:\WINDOWS\flpfwy.dat
Removed! : C:\WINDOWS\fmbykv.dat
Removed! : C:\WINDOWS\fpbpbu.dat
Removed! : C:\WINDOWS\fsjcvw.dat
Removed! : C:\WINDOWS\ftjcjb.dat
Removed! : C:\WINDOWS\fuxwyg.dat
Removed! : C:\WINDOWS\fvdhev.dat
Removed! : C:\WINDOWS\fyjtgp.dat
Removed! : C:\WINDOWS\gaexnp.dat
Removed! : C:\WINDOWS\gfppot.dat
Removed! : C:\WINDOWS\giqplx.dat
Removed! : C:\WINDOWS\gkeook.dat
Removed! : C:\WINDOWS\gmjooe.dat
Removed! : C:\WINDOWS\gnuyhg.dat
Removed! : C:\WINDOWS\gpnmvz.dat
Removed! : C:\WINDOWS\gxnmlt.dat
Removed! : C:\WINDOWS\gydoe.dat
Removed! : C:\WINDOWS\haqzqm.dat
Removed! : C:\WINDOWS\hejbsp.dat
Removed! : C:\WINDOWS\hgobar.dat
Removed! : C:\WINDOWS\hlsigd.dat
Removed! : C:\WINDOWS\hlsikv.dat
Removed! : C:\WINDOWS\hlyzin.dat
Removed! : C:\WINDOWS\hnxhvm.dat
Removed! : C:\WINDOWS\hrcsiw.dat
Removed! : C:\WINDOWS\hsgqsy.dat
Removed! : C:\WINDOWS\hwyqjg.dat
Removed! : C:\WINDOWS\ibqcic.dat
Removed! : C:\WINDOWS\icyjhb.dat
Removed! : C:\WINDOWS\igfqhj.dat
Removed! : C:\WINDOWS\igxjcm.dat
Removed! : C:\WINDOWS\igxngq.dat
Removed! : C:\WINDOWS\iilicw.dat
Removed! : C:\WINDOWS\ijtkon.dat
Removed! : C:\WINDOWS\ikfhqk.dat
Removed! : C:\WINDOWS\illqaa.dat
Removed! : C:\WINDOWS\imtsqx.dat
Removed! : C:\WINDOWS\inildi.dat
Removed! : C:\WINDOWS\inmrcj.dat
Removed! : C:\WINDOWS\iohpnx.dat
Removed! : C:\WINDOWS\ioowhk.dat
Removed! : C:\WINDOWS\istkfi.dat
Removed! : C:\WINDOWS\isvrdu.dat
Removed! : C:\WINDOWS\itjeti.dat
Removed! : C:\WINDOWS\itjjcf.dat
Removed! : C:\WINDOWS\iubfbh.dat
Removed! : C:\WINDOWS\iubnb.dat
Removed! : C:\WINDOWS\ivsstk.dat
Removed! : C:\WINDOWS\iynnxy.dat
Removed! : C:\WINDOWS\izvvmu.dat
Removed! : C:\WINDOWS\jckpas.dat
Removed! : C:\WINDOWS\jdxhga.dat
Removed! : C:\WINDOWS\jefnij.dat
Removed! : C:\WINDOWS\jjohmg.dat
Removed! : C:\WINDOWS\joblcc.dat
Removed! : C:\WINDOWS\jqedqh.dat
Removed! : C:\WINDOWS\jqpful.dat
Removed! : C:\WINDOWS\jsrhxj.dat
Removed! : C:\WINDOWS\juaxbe.dat
Removed! : C:\WINDOWS\jvbitf.dat
Removed! : C:\WINDOWS\jwhdsx.dat
Removed! : C:\WINDOWS\jxjhpv.dat
Removed! : C:\WINDOWS\jxxsza.dat
Removed! : C:\WINDOWS\jzwedr.dat
Removed! : C:\WINDOWS\keekrw.dat
Removed! : C:\WINDOWS\kfqgnd.dat
Removed! : C:\WINDOWS\kfrbni.dat
Removed! : C:\WINDOWS\kgvopz.dat
Removed! : C:\WINDOWS\kgwwre.dat
Removed! : C:\WINDOWS\khdqhv.dat
Removed! : C:\WINDOWS\khmdvc.dat
Removed! : C:\WINDOWS\kkiduc.dat
Removed! : C:\WINDOWS\kktuho.dat
Removed! : C:\WINDOWS\kndsge.dat
Removed! : C:\WINDOWS\korxat.dat
Removed! : C:\WINDOWS\krvryu.dat
Removed! : C:\WINDOWS\kstekz.dat
Removed! : C:\WINDOWS\ktimyo.dat
Removed! : C:\WINDOWS\kucjcg.dat
Removed! : C:\WINDOWS\kxcgwg.dat
Removed! : C:\WINDOWS\kxkrea.dat
Removed! : C:\WINDOWS\kzmhaw.dat
Removed! : C:\WINDOWS\lafbno.dat
Removed! : C:\WINDOWS\lbkncb.dat
Removed! : C:\WINDOWS\lezyqi.dat
Removed! : C:\WINDOWS\lkmhtt.dat
Removed! : C:\WINDOWS\lptrlu.dat
Removed! : C:\WINDOWS\lpzfzr.dat
Removed! : C:\WINDOWS\lqewfa.dat
Removed! : C:\WINDOWS\lrgilc.dat
Removed! : C:\WINDOWS\ltltuu.dat
Removed! : C:\WINDOWS\lznwxt.dat
Removed! : C:\WINDOWS\mbrfuj.dat
Removed! : C:\WINDOWS\mcagrl.dat
Removed! : C:\WINDOWS\mddjme.dat
Removed! : C:\WINDOWS\mgoyd.dat
Removed! : C:\WINDOWS\mgsqtq.dat
Removed! : C:\WINDOWS\mhhlji.dat
Removed! : C:\WINDOWS\mhwidm.dat
Removed! : C:\WINDOWS\mkbwv.dat
Removed! : C:\WINDOWS\mkifmt.dat
Removed! : C:\WINDOWS\mptooo.dat
Removed! : C:\WINDOWS\mssqsv.dat
Removed! : C:\WINDOWS\mvrjxb.dat
Removed! : C:\WINDOWS\mzoaun.dat
Removed! : C:\WINDOWS\ncydno.dat
Removed! : C:\WINDOWS\ndcbmc.dat
Removed! : C:\WINDOWS\netqll.dat
Removed! : C:\WINDOWS\newprm.dat
Removed! : C:\WINDOWS\nflfvm.dat
Removed! : C:\WINDOWS\ngfytc.dat
Removed! : C:\WINDOWS\nglbfe.dat
Removed! : C:\WINDOWS\njzlec.dat
Removed! : C:\WINDOWS\nkuevw.dat
Removed! : C:\WINDOWS\nmcmfm.dat
Removed! : C:\WINDOWS\nmzglj.dat
Removed! : C:\WINDOWS\npqgla.dat
Removed! : C:\WINDOWS\nrxjoy.dat
Removed! : C:\WINDOWS\nuwcmd.dat
Removed! : C:\WINDOWS\nvfxcf.dat
Removed! : C:\WINDOWS\nvgxzc.dat
Removed! : C:\WINDOWS\nyfewj.dat
Removed! : C:\WINDOWS\nyxlrn.dat
Removed! : C:\WINDOWS\obnrpb.dat
Removed! : C:\WINDOWS\odsjme.dat
Removed! : C:\WINDOWS\ofildm.dat
Removed! : C:\WINDOWS\ofkyns.dat
Removed! : C:\WINDOWS\ogjoap.dat
Removed! : C:\WINDOWS\ohftpa.dat
Removed! : C:\WINDOWS\ohkngr.dat
Removed! : C:\WINDOWS\oispge.dat
Removed! : C:\WINDOWS\ollbrm.dat
Removed! : C:\WINDOWS\omqroi.dat
Removed! : C:\WINDOWS\ontsi.dat
Removed! : C:\WINDOWS\onwmlr.dat
Removed! : C:\WINDOWS\ooypaz.dat
Removed! : C:\WINDOWS\opghhz.dat
Removed! : C:\WINDOWS\ormfkd.dat
Removed! : C:\WINDOWS\ouaexf.dat
Removed! : C:\WINDOWS\ovcmwz.dat
Removed! : C:\WINDOWS\pcqyze.dat
Removed! : C:\WINDOWS\pfvmco.dat
Removed! : C:\WINDOWS\pitvju.dat
Removed! : C:\WINDOWS\plelsd.dat
Removed! : C:\WINDOWS\pokiyv.dat
Removed! : C:\WINDOWS\ppbprm.dat
Removed! : C:\WINDOWS\puhwxc.dat
Removed! : C:\WINDOWS\puzpkw.dat
Removed! : C:\WINDOWS\pwsfs.dat
Removed! : C:\WINDOWS\pxglaa.dat
Removed! : C:\WINDOWS\pxgmdv.dat
Removed! : C:\WINDOWS\qafxxr.dat
Removed! : C:\WINDOWS\qaitjz.dat
Removed! : C:\WINDOWS\qcomtk.dat
Removed! : C:\WINDOWS\qdkkty.dat
Removed! : C:\WINDOWS\qfdccu.dat
Removed! : C:\WINDOWS\qiczna.dat
Removed! : C:\WINDOWS\qjcezu.dat
Removed! : C:\WINDOWS\qltral.dat
Removed! : C:\WINDOWS\qmzpwi.dat
Removed! : C:\WINDOWS\qnaazn.dat
Removed! : C:\WINDOWS\qnbjls.dat
Removed! : C:\WINDOWS\qncgme.dat
Removed! : C:\WINDOWS\qndejv.dat
Removed! : C:\WINDOWS\qnnmrw.dat
Removed! : C:\WINDOWS\qnxbcz.dat
Removed! : C:\WINDOWS\qoqyin.dat
Removed! : C:\WINDOWS\quscxh.dat
Removed! : C:\WINDOWS\qwrfev.dat
Removed! : C:\WINDOWS\qzdgkw.dat
Removed! : C:\WINDOWS\qzemq.dat
Removed! : C:\WINDOWS\qzzaui.dat
Removed! : C:\WINDOWS\rafbtn.dat
Removed! : C:\WINDOWS\ramvge.dat
Removed! : C:\WINDOWS\rcpak.dat
Removed! : C:\WINDOWS\reklzo.dat
Removed! : C:\WINDOWS\renjdj.dat
Removed! : C:\WINDOWS\rfdcfi.dat
Removed! : C:\WINDOWS\rfoohs.dat
Removed! : C:\WINDOWS\rggkdy.dat
Removed! : C:\WINDOWS\rigxlb.dat
Removed! : C:\WINDOWS\rjcspd.dat
Removed! : C:\WINDOWS\rnyjlp.dat
Removed! : C:\WINDOWS\rtkxmv.dat
Removed! : C:\WINDOWS\rtmtzy.dat
Removed! : C:\WINDOWS\rtpuuy.dat
Removed! : C:\WINDOWS\rviesq.dat
Removed! : C:\WINDOWS\rwpizs.dat
Removed! : C:\WINDOWS\rykboz.dat
Removed! : C:\WINDOWS\rzldal.dat
Removed! : C:\WINDOWS\sctknr.dat
Removed! : C:\WINDOWS\sfmenm.dat
Removed! : C:\WINDOWS\sixgwv.dat
Removed! : C:\WINDOWS\sjduji.dat
Removed! : C:\WINDOWS\sjkerg.dat
Removed! : C:\WINDOWS\slexns.dat
Removed! : C:\WINDOWS\sovddi.dat
Removed! : C:\WINDOWS\sqjaqx.dat
Removed! : C:\WINDOWS\sstict.dat
Removed! : C:\WINDOWS\stwnme.dat
Removed! : C:\WINDOWS\swxgpg.dat
Removed! : C:\WINDOWS\szwtqj.dat
Removed! : C:\WINDOWS\tbqupr.dat
Removed! : C:\WINDOWS\tcnpqv.dat
Removed! : C:\WINDOWS\tdhoae.dat
Removed! : C:\WINDOWS\thspeh.dat
Removed! : C:\WINDOWS\tkdsoi.dat
Removed! : C:\WINDOWS\tmprox.dat
Removed! : C:\WINDOWS\toiycb.dat
Removed! : C:\WINDOWS\tpoowr.dat
Removed! : C:\WINDOWS\twfnor.dat
Removed! : C:\WINDOWS\twglsh.dat
Removed! : C:\WINDOWS\txxoaf.dat
Removed! : C:\WINDOWS\tygyty.dat
Removed! : C:\WINDOWS\tzfiw.dat
Removed! : C:\WINDOWS\uavoor.dat
Removed! : C:\WINDOWS\uckxho.dat
Removed! : C:\WINDOWS\ueqnhq.dat
Removed! : C:\WINDOWS\ufdgkb.dat
Removed! : C:\WINDOWS\uglmhg.dat
Removed! : C:\WINDOWS\ujlvee.dat
Removed! : C:\WINDOWS\ukbcmw.dat
Removed! : C:\WINDOWS\upxvrc.dat
Removed! : C:\WINDOWS\uqhevs.dat
Removed! : C:\WINDOWS\uxlkw.dat
Removed! : C:\WINDOWS\vahkwa.dat
Removed! : C:\WINDOWS\vavtuc.dat
Removed! : C:\WINDOWS\vcrjlk.dat
Removed! : C:\WINDOWS\vdvhxf.dat
Removed! : C:\WINDOWS\veznhb.dat
Removed! : C:\WINDOWS\vfmbjx.dat
Removed! : C:\WINDOWS\vkjizp.dat
Removed! : C:\WINDOWS\vnauzc.dat
Removed! : C:\WINDOWS\vpvazy.dat
Removed! : C:\WINDOWS\vrelnv.dat
Removed! : C:\WINDOWS\vttbig.dat
Removed! : C:\WINDOWS\vwnudv.dat
Removed! : C:\WINDOWS\vwohpz.dat
Removed! : C:\WINDOWS\vxnvhy.dat
Removed! : C:\WINDOWS\vyzpfa.dat
Removed! : C:\WINDOWS\wcmete.dat
Removed! : C:\WINDOWS\wcruub.dat
Removed! : C:\WINDOWS\wefalj.dat
Removed! : C:\WINDOWS\welubm.dat
Removed! : C:\WINDOWS\wianay.dat
Removed! : C:\WINDOWS\wkdbhj.dat
Removed! : C:\WINDOWS\wlrrdf.dat
Removed! : C:\WINDOWS\wqvxhr.dat
Removed! : C:\WINDOWS\wtjnow.dat
Removed! : C:\WINDOWS\wtqskr.dat
Removed! : C:\WINDOWS\wvhslk.dat
Removed! : C:\WINDOWS\wzsudg.dat
Removed! : C:\WINDOWS\xgtslh.dat
Removed! : C:\WINDOWS\xhfowb.dat
Removed! : C:\WINDOWS\xhhrmt.dat
Removed! : C:\WINDOWS\xnwacf.dat
Removed! : C:\WINDOWS\xpsdxk.dat
Removed! : C:\WINDOWS\xptuog.dat
Removed! : C:\WINDOWS\xtaejq.dat
Removed! : C:\WINDOWS\xvrjqa.dat
Removed! : C:\WINDOWS\xyhyhb.dat
Removed! : C:\WINDOWS\xzmqsc.dat
Removed! : C:\WINDOWS\xzphgr.dat
Removed! : C:\WINDOWS\System32\dgzxm.dat
Removed! : C:\WINDOWS\System32\egatl.dat
Removed! : C:\WINDOWS\System32\ghpjd.dat
Removed! : C:\WINDOWS\System32\gjhuq.dat
Removed! : C:\WINDOWS\System32\gtruf.dat
Removed! : C:\WINDOWS\System32\hwkqa.dat
Removed! : C:\WINDOWS\System32\iibri.dat
Removed! : C:\WINDOWS\System32\jlmnd.dat
Removed! : C:\WINDOWS\System32\kqzdy.dat
Removed! : C:\WINDOWS\System32\kxuuu.dat
Removed! : C:\WINDOWS\System32\qpfzu.dat
Removed! : C:\WINDOWS\System32\swvuj.dat
Removed! : C:\WINDOWS\System32\tdmyu.dat
Removed! : C:\WINDOWS\System32\xmedt.dat
Removed! : C:\WINDOWS\System32\xurbq.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!




by the way my Ad-Wath poped up with the following at the end of running it with the following

Ad-watch Logfile, exported on 11/07/2004
Total number of events:6
===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:http://www.enterprisemission.com/
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Page_URL
Data:http://www.msn.com/
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Search_URL
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 00:05:07 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:http://www.msn.com/
New Data:http://www.google.com

Possible browser hijack attempt (Blocked)

===============================================


Heres HijackThis

Logfile of HijackThis v1.98.0
Scan saved at 00:11:22, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\gary williamson\Desktop\Internet\Ad HiJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab


Hope this help


P.S.
my home page has recently been opening at the correct page since installing trojan hunter and deletubf a few susoect trojans

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 10 July 2004 - 08:57 PM

Hello garrion,

I don't know if that's a record, but I counted about 343 files that About:Buster removed. :gasp:

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676


R3 - Default URLSearchHook is missing

Now, Close all open windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot, and please post a new HJT log, and let us know if you have any concerns.

#6 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 10 July 2004 - 10:48 PM

i did as instructed and Ad-Watch poped up after deleting the 4 files you asked me to delete as follows

Ad-watch Logfile, exported on 11/07/2004
Total number of events:3
===============================================
11/07/2004 04:37:32 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 04:37:32 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Search_URL
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 04:37:32 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================


I then re booted and here is the log of HighJackThis (do i need to turn off Ad-Watch B4 deleting files? )


Logfile of HijackThis v1.98.0
Scan saved at 04:43:37, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\gary williamson\Desktop\Internet\Ad HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab

p.s.
Zone alarm came up after rebooting when i opened my web browser saying that IEXPLORER had changed programe....so i allowed it?

#7 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 10 July 2004 - 11:28 PM

It is possible that Ad-watch locked that homepage. Yes, turn off Ad-watch, then fix these entries in HJT:

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676


Now, Close all open windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot and please post a new log.

#8 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 July 2004 - 03:01 AM

okies here the log , this time Ad-Watch didnt pop up (i turned it off )

Logfile of HijackThis v1.98.0
Scan saved at 08:56:21, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\gary williamson\Desktop\Internet\Ad HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab

#9 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 July 2004 - 03:23 AM

ADDITION TO LAST POST

Arhhh Afetr it had cleqred as above i turned Ad-Watxh back on and then got the following

Ad-watch Logfile, exported on 11/07/2004
Total number of events:3
===============================================
11/07/2004 09:16:22 - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 09:16:22 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Search_URL
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================
11/07/2004 09:16:22 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
New Data:

Possible browser hijack attempt (Blocked)

===============================================


tryed HighJackThis again and guess what

Logfile of HijackThis v1.98.0
Scan saved at 09:18:57, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\gary williamson\Desktop\Internet\Ad HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\moxuw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab

why do the 3 R1s re-appear when i put Ad-Watxh back on?

:wtf:

#10 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 July 2004 - 03:50 AM

Whew finally figured out i think why that was happening

i kepted opening Ad-Watch 3 from task bar to turn it back on b4 i opened AdWatch 6 and turned back the protections in settings e.g. the Ad Watch tab then LOCK START UP SECTIONS IN REG ...BLOCK BROWSER HIJACK ATTEMPTS...BLOBK SUSPIOUS PROCESSES....LOCK EXECUTABLE FILE ASSOCIATIONS..
I think because i hadnt turned back on the above b4 opening Ad Watch 3 , Ad Watch 3 was putting the 3 R1s back...dont know if i babbling on but it seems poss to me..anyway heres the log now with Ad Watch on from start up

Logfile of HijackThis v1.98.0
Scan saved at 09:43:47, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\gary williamson\Desktop\Internet\Ad HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enterprisemission.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab

#11 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 11 July 2004 - 10:06 AM

Hi garrion,

I'm glad you got it. I recommend removing any eailer versions of AdWatch, and keeping the latest.

Your log looks clean. :wave:
Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?

#12 garrion

garrion

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 July 2004 - 11:02 AM

Thanks for your help :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button