browser hijack e-finder.cc

  dimercaprol 07:46 03 Oct 04
Locked

My browser has been hijacked. I am running Win XP home and IE6. I have run Adaware, SpybotS&D and CWShredder without effect. This is the "hijack this" log after running all the above. I would be very grateful for any advice.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\CAPRPCSK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hijackthis\HijackThis.exe

  dimercaprol 07:47 03 Oct 04

I'll try again in several parts

My browser has been hijacked. I am running Win XP home and IE6. I have run Adaware, SpybotS&D and CWShredder without effect. This is the "hijack this" log after running all the above. I would be very grateful for any advice.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

  dimercaprol 07:50 03 Oct 04

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\qttask.exe

C:\Program Files\D-Link\AirPlus Xtreme
G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINDOWS\System32\CAPRPCSK.EXE

  dimercaprol 07:51 03 Oct 04

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\WINDOWS\System32\ati2evxx.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [email protected]/hp/" title="http://homepage.com_%[email protected]/hp/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [email protected]/hp/" title="http://homepage.com_%[email protected]/hp/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

  dimercaprol 07:53 03 Oct 04

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\qttask.exe

O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE

  dimercaprol 07:55 03 Oct 04

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: click here?

O13 - WWW Prefix: click here?

O14 - IERESET.INF: START_PAGE_URL=click here

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

  rawprawn 08:38 03 Oct 04

I think system32\sass.exe is a virus,download and run this free program click here Someone with more knowledge than me may suggest something different but this is a good proram and it won't hurt anyway

  Nellie2 09:36 03 Oct 04

when you have followed rawprawns advice

Go to click here , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This.
Extract it into its own folder and run it, press 'Fix', and allow it to fix all it finds.

Now download Ad-Aware SE from click here

After installing AAW, and before running the program, you NEED to FIRST update it:
Launch Ad-Aware, and click "Check for Updates" above the start button; you'll be prompted to download and install the latest Reference File.

Now press Start >Next, and let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that Results pane and choose "select all"

Press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

When you've done all that, re-run Hijack This, and show us a fresh log.
There will be more to do!

  dimercaprol 18:07 03 Oct 04

Thanks Rawprawn and Nellie 2. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 18:03:20, on 03/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\System32\CAPRPCSK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

  dimercaprol 18:10 03 Oct 04

Logfile of HijackThis v1.97.7
Scan saved at 18:03:20, on 03/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\CAPRPCSK.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\qttask.exe

C:\Program Files\D-Link\AirPlus Xtreme
G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

C:\Program Files\Roxio\Easy CD Creator 6
\AudioCentral\Playlist.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\Program Files\Hijackthis\HijackThis.exe

  rawprawn 18:12 03 Oct 04

Nellie2 is the expert on these HJT logs, I am sure that she will sort you out, so I will leave it to her. Good luck

This thread is now locked and can not be replied to.

Best phone camera 2016/2017: Galaxy S7 vs iPhone 7 vs Google Pixel vs HTC 10 Evo vs OnePlus 3T vs…

1995-2015: How technology has changed the world in 20 years

These are the Best Christmas Ads and Studio Projects of 2016

Super Mario Run preview | Hands-on first impressions of Super Mario Run: Mario's iPhone & iPad…