Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default HijackThis logfile - might someone please review?

    Hello

    I have a browser hijack problem (res://roffd.dll/index.html#96676 keeps returning). After following all the steps in the sticky at the top of the page (AdAware, Spybot, Windows updates, HiJack This, etc. ) I still have the problem. I am posting the Hijack This logfile below. If somone would comment on what should be deleted I would greatly appreciate it.


    Logfile of HijackThis v1.98.0
    Scan saved at 5:42:55 AM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\ipkm.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\javaxe32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Jones\Local Settings\Temporary Internet Files\Content.IE5\L76ZTTEB\HijackThis1980[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://roffd.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atlgi32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [javaxe32.exe] C:\WINDOWS\javaxe32.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\RunOnce: [ipkm.exe] C:\WINDOWS\ipkm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contro...C/MsnPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{905917D4-C344-4E52-AFA2-8C183EDD904D}: NameServer = 216.111.202.15 216.111.202.20
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    One thing you are advised to do is to run HJT in a permanet folder not a temporary one.

    Cheers

  3. #3
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default

    Hello

    Thanks for the tip. In additon to doing another round of Windows updates and running AdAware/Spybot again, I put HijackThis in a permanent folder and re-ran it. My problems are the same as I described above. Here is the Hijack This logfile-

    Logfile of HijackThis v1.98.0
    Scan saved at 2:23:47 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\ipkm.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\javaxe32.exe
    C:\WINDOWS\System32\automove.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://roffd.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atlgi32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [javaxe32.exe] C:\WINDOWS\javaxe32.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\RunOnce: [ipkm.exe] C:\WINDOWS\ipkm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contro...C/MsnPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{905917D4-C344-4E52-AFA2-8C183EDD904D}: NameServer = 216.111.202.15 216.111.202.20
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

  4. #4
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default

    After about 10 hours of work, I believe have solved my problem. There is a tutorial on the spywareinfo.com website that takes you through additional steps to fix a browser hijacking. Here is the link-
    http://www.spywareinfo.com/articles/hijacked/#applets

    For reference, I removed the following lines using Hijack This-

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://roffd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\roffd.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\roffd.dll/sp.html#96676

    This did not fix my problem. I re-ran Hijack This and these lines were there again. Using the info. from the spywareinfo.com website I also removed the following BHO using Hijack This-

    O2 - BHO: (no name) - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atlgi32.dll

    That solved my problem. Things appear to be fine now and I have control over my browser.

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Sorry but you haven't solved it that way ... it's not as easy as that ... it will return when you reboot.

    Please download and run this :-

    http://www.downloads.subratam.org/AboutBuster.zip

    Please post back with the [b]AboutBuster log[b]

    and a new hijackthis log

    If this doesent work, there is a much longer and more involved way....

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default

    Hi Steamwiz - unfortunately I found out this morning that you are exactly correct. Everything did come right back.I would greatly appreciate any input you have on the longer, more involved method.

    I ran Hijack This and About:Blaster in safe mode. It appeared to clean my computer. The problems reappeared though once I logged back on in regular mode. I am using "Browser Hijacker Blaster" and continually have a BHO alert and homepage alert. Here is the logfile from when the cleaning is complete in safe mode-

    Logfile of HijackThis v1.98.0
    Scan saved at 10:26:37 AM, on 7/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [ipkm.exe] C:\WINDOWS\ipkm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contro...C/MsnPUpld.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Here is the logfile (with the bad stuff) from when I re-log on in regular mode. The home page has changed and the the "bad" 02- BHO keeps returning-

    Logfile of HijackThis v1.98.0
    Scan saved at 10:39:04 AM, on 7/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\ipkm.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xksol.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xksol.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AAE8D2B7-041D-CBB2-44B4-5E2B264B26C5} - C:\WINDOWS\adddc.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [ipkm.exe] C:\WINDOWS\ipkm.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contro...C/MsnPUpld.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

  7. #7
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default

    Oops, I forgot to post my AboutBuster log with the previous post. Here it is-

    -- Scan 1 --------
    About:Buster Version 1.30
    Removed! : C:\WINDOWS\javaxt.exe
    Removed! : C:\WINDOWS\uxqqfa.dat
    Removed! : C:\WINDOWS\xksol.dat
    Removed! : C:\WINDOWS\xksol.dll
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Please read through this carefully before starting, and make sure you understand it all....

    1. Have Adaware installed updated and ready to run

    2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online.

    3. Make sure your PC is configured to show hidden files

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

    Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    5. Then reboot into >>>safe mode<<< Click Here for instructions

    6. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xksol.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xksol.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {AAE8D2B7-041D-CBB2-44B4-5E2B264B26C5} - C:\WINDOWS\adddc.dll

    O4 - HKLM\..\RunOnce: [ipkm.exe] C:\WINDOWS\ipkm.exe

    delete the following files if present.

    C:\WINDOWS\xksol.dll

    C:\WINDOWS\adddc.dll

    C:\WINDOWS\ipkm.exe


    7. If you are not happy with editing the registry, use this reg file..... http://www.help2go.com/postp35164.html#35164 ....<<<<
    reg file


    Or to edit the registry manually, Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    8. Scan with Adaware and let it remove any bad files found.

    9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    10. Reboot to normal mode, scan again with Hijack This and post a new log here.

    11. NOTE:Two, possibly 3, files were also deleted from your computer and need to be replaced.

    Control.exe
    hosts (with no extension)
    SDHelper.dll (if you are using Spybot Search & Destroy)

    If control. exe is missing
    Go here: http://www.spywareinfo.com/~merijn/w...s.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

    Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
    Press 'Restore Original Hosts' and press 'OK'
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    If you have Spybot S&D installed and SDHelper.dll is missing, Go here:-

    http://www.spywareinfo.com/~merijn/w....html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
    ........................................................
    12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

    13. Finally, do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-cillin) - Free on-line Scan

    http://housecall.antivirus.com

    Good luck

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member sundaypunch's Avatar
    Join Date
    Jul 2004
    Posts
    9
    Points
    0

    Default

    Hello Steamwiz

    Thank you for the in depth instructions. Before I go any further, I wanted to check with you about item #4. When I check "services.msc", I don't have a "Network Security Service" listed. In the "N's" I have-
    -Net Logon
    -NetMeeting Remote Desktop Sharing
    -Netropa NHK Server
    -Network Connections
    -Network DDE
    -Network DDE DSDM
    -Network Location Awareness (NLA)
    -Norton AntiVirus Auto Protect Service
    -NT LM Security Support Provider

    If you have a recommendation please let me know. I don't see any other entries that appear to be related to security. The "NT LM Security Support Provider" is stopped when I check it.

    Thank you again for your help.

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    This hijacker is in 2 parts ... this is only half of it...skip #4 and carry on with the rest....

    Aboutbuster probably took care of that bit allready..

    IN which case #7 may also be unaplicable ... but try everything ... if something doesn't work, or appears not to be there, just carry on with the rest.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast