Proseaching Hijack

  bgc2668 12:38 04 Sep 04
Locked

I am having problems with my homepage being hijacked and icons being added to my desktop. I have followed advice from a previous thread and run Hijackthis and now need to know what to get rid of.

Logfile of HijackThis v1.98.2
Scan saved at 10:57:03, on 04/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Ben Clough\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Teddy loves Bunny

O2 - BHO: (no name) - {1CBA8A35-86B1-0288-8D40-E6D398C1B4D2} - C:\PROGRA~1\trayreal\SoftTest.exe

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Roam Media] C:\PROGRA~1\SHOWCU~1\Base team.exe

O4 - HKLM\..\Run: [Lockspeakjoyfirst] C:\Documents and Settings\All Users\Application Data\remotekindlockspeak\Support Thunk.exe

O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O16 - DPF: cpcScanner - click here

O16 - DPF: Yahoo! Chess - click here

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - click here

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - click here

O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - click here

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - click here

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - click here

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - click here

O16 - DPF: {B3E451DC-DD2B-4ECD-B226-08FF692024B1} (Installer Control) - click here

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - click here

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - click here

O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - click here

Any help would be appreciated.

  Gongoozler 15:15 04 Sep 04

Hi bgc2668. I'm no expert on this, but to keep your thread alive I did a bit of a search, and I really don't think you want these two on your system:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www. (a lot of things)

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll.

Before you use anything as powerful as deleting via HijackThis, try running CWShredder click here

  Nellie2 20:43 04 Sep 04

Hello! *wave*

If you haven't already done so then download and run Spybot Seach and Destry and Adaware then reboot after the clean up. There are download links and set up instructions click here

Then, run hijackthis again and make sure all browsers and windows are closed, including this one, put a tick against the following and click 'fixed checked' (If the entries are still there after running the above apps)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://xxx.eaixiqszvrdabxsvrwcctsrja.com/mthUbeEJoknIbtgiQ8KqXZ2Pw39SjBk7pu8CBjt7NlM.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://xxx.bziqokdguzbejtkltnwuqn.com/mthUbeEJoknIbtgiQ8KqXfYimuBH4DBieVT9VhngdsS2gzmRzLv5F8ZOUc6Eum5V.asp

O2 - BHO: (no name) - {1CBA8A35-86B1-0288-8D40-E6D398C1B4D2} - C:\PROGRA~1\trayreal\SoftTest.exe

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

O4 - HKLM\..\Run: [Roam Media] C:\PROGRA~1\SHOWCU~1\Base team.exe

O4 - HKLM\..\Run: [Lockspeakjoyfirst] C:\Documents and Settings\All Users\Application Data\remotekindlockspeak\Support Thunk.exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - hxxp://install.wildtangent.com/bgn/partners/shockwave/orbital/install.cab

Then boot into safe mode and enable hidden files and folders. Instructions click here and click here and delete the following folders.

C:\PROGRAM FILES\SHOWCU~1\ <-- I'm not sure what the full folder name will be but the first six letters are as shown.

C:\Documents and Settings\All Users\Application Data\remotekindlockspeak\ <--- remotekindlockspeak is the folder to delete.

Reboot into normal mode and post a fresh log for me to check.

  bgc2668 10:08 05 Sep 04

Hello Nellie2

I have done as you suggested and here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 10:00:42, on 05/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ben Clough\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Teddy loves Bunny

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O16 - DPF: cpcScanner - click here

O16 - DPF: Yahoo! Chess - click here

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - click here

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - click here

O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - click here

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - click here

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here

O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - click here

O16 - DPF: {B3E451DC-DD2B-4ECD-B226-08FF692024B1} (Installer Control) - click here

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - click here

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - click here

O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - click here

It looks like it has done the trick, but I will wait for your confirmation. I use ad-aware and spybot S&D on a regular basis, and have spyware blaster running as well, so I was suprised when this happened. I think it was a piece of software that I installed that did it.

Many thanks for your help all.

  Taw® 10:52 05 Sep 04

for my notes

  Nellie2 10:57 05 Sep 04

Hi bgc2668

Your log looks clean to me now!!

Happy surfing! :)

This thread is now locked and can not be replied to.

New Google phones UK release date | Pixel XL price, new features, specifications: Pixel X and…

1995-2015: How technology has changed the world in 20 years

iOS 10 troubleshooting tips: Simple fixes for the most common iOS 10 problems, from network…