IE6 has beem hijacked!

  DrFox 13:17 19 Dec 03

I really hope someone can help. My IE explorer has been taken over by some virus. When I type in an email address, it apears to go to that address, in otherwords it's on the title bar, but it's a some random generated site.

I get loads of page not founds, but again these seem to be randomly generated. Also when I do get the correct page after hitting refresh about a million times, half the graphics are missing

I've run spybot, adware, Hijackthis, and my own virus checker, but nothing. This is driving me mad!

Any ideas?

  Jester2K II 13:20 19 Dec 03

Post your HijackThis log here or e-mail to me.

  DrFox 13:28 19 Dec 03

Will do

Just notices I said email address. I meant website address

  DrFox 13:35 19 Dec 03

Logfile of HijackThis v1.97.7
Scan saved at 03:18:39, on 11/01/2002
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0a\aoltray.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\AOL 8.0a\waol.exe
C:\Program Files\AOL 8.0a\shellmon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3Trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Documents and Settings\SSUK\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Updates] C:\WINDOWS\system32\msupdate.exe
O4 - HKLM\..\Run: [nbprocrk] nbprocrk.bat
O4 - HKLM\..\Run: [SVKP] nbprocrk.reg
O4 - HKCU\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Startup: Browser Hijack Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\safetp\stplayer.dll
O16 - DPF: {26111423-D30F-11D3-8A34-00A0CC3BAA9C} (Mission Connector 4.1) - click here
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD669A47-6D3E-4025-A931-AADD16166EEC}: NameServer =

  DrFox 13:38 19 Dec 03

mmh it's quite hard to view in that format, what's your email address?

  Jester2K II 13:45 19 Dec 03

Click the envelope next to my name

What is

O4 - HKLM\..\Run: [nbprocrk] nbprocrk.bat
O4 - HKLM\..\Run: [SVKP] nbprocrk.reg
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup

O10 - Unknown file in Winsock LSP: c:\windows\safetp\stplayer.dll

Do any of these ring a bell??

Also you got more info on what actually happens when you try to go to a page??

  DrFox 13:55 19 Dec 03

nbpro is my newsgroup reader

Safetp is a legitimate prog I use that transparently secures FTP passwords.

Basicall I'll be wrowsing without problem. Then all of asuden I start a new link and It comes back that the page is not found.

When I refresh, It will often retun a page not found again, or it takes me to some other website. I assume the page not found is probably a website in the trojans code that no longer exists. Quite often the 404 page is different from the generic one so again this would probably confirm my suspicion.

Once this problem kicks in and I have multiple windows open, I have missing graphics on the legitimate sites I view.

Also one thing I forgot to mention. I keep getting a windows box opening up that tells me I must click OK to view the page properly. When I do, It tries to down load a .exe file to my PC. Probably some dialer.

  johnnyrocker 14:12 19 Dec 03

Startup: Browser Hijack Blaster.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe O4 -

extracted from your info and likely to be your problem,


  DrFox 14:19 19 Dec 03

Gotcha, I've done that and will monitor the sit. AS it happens at random times I cant confirm right now.

Thanx for the help, I'll keep you posted

  bvw in bristol 14:25 19 Dec 03

Quote " Logfile of HijackThis v1.97.7 Scan saved at 03:18:39, on 11/01/2002 "

11th January 2002?

  DrFox 14:27 19 Dec 03

Yep.. lazzy b*stard aint set the date time since.. well erm I cant remember :p

This thread is now locked and can not be replied to.

Huawei P10 review

1995-2015: How technology has changed the world in 20 years

An overview: What leading creative agencies are doing to improve diversity

New iPad, iPhone SE & Red iPhone 7 on sale now