Author Topic: Hijacked browser (Read 1574 times)

joannasmom · « **on:** April 14, 2005, 11:19:19 PM »

Hi all,

Please help me rid my computer of this hijacked software. I have been working at this for several days now and am getting nowhere.

I have downloaded some tools to help: Ad Aware, Hijack This, Spybot S&D, Spyware Doctor. All seem to help but problem keeps returning.

Here is a log file from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:53 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Compaq Wireless Configuration.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109996472497
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Any help would be very appreciated! Thanks

joannasmom · « **Reply #1 on:** April 15, 2005, 07:30:01 PM »

Hello again,

Having read other threads, I thought I would run Locate and StartDreck programs.

Here is the results from the Locate program:

C:\WINDOWS\SYSTEM32\DRIVERS\ATINXBXX.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\TDIM.SYS
C:\WINDOWS\SERVIC~1\I386\ATINXBXX.SYS
C:\WINDOWS\SERVIC~1\I386\WCEUSBSH.SYS
C:\WINDOWS\SOFTWA~1\DOWNLOAD\16B2C9~1\WCEUSBSH.SYS
C:\WINDOWS\SOFTWA~1\DOWNLOAD\16B2C9~1\ATINXBXX.SYS

Here is the results from the StartDreck.log file:

StartDreck (build 2.1.7 public stable) - 2005-04-15 @ 17:24:32 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Danny at DANNY

»Registry
»Files
»System/Drivers
»NT Services
*Alerter   Alerter   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service   ALG   running   on demand
`binary: C:\WINDOWS\System32\alg.exe
*Application Management   AppMgmt   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Ati HotKey Poller   Ati HotKey Poller   running   auto
`binary: C:\WINDOWS\System32\Ati2evxx.exe
*ATI Smart   ATI Smart   -   disabled
`binary: C:\WINDOWS\SYSTEM32\ati2sgag.exe
*Windows Audio   AudioSrv   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service   BITS   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser   Browser   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Indexing Service   CiSvc   -   on demand
`binary: C:\WINDOWS\system32\cisvc.exe
*ClipBook   ClipSrv   -   disabled
`binary: C:\WINDOWS\system32\clipsrv.exe
*COM+ System Application   COMSysApp   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services   CryptSvc   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*DCOM Server Process Launcher   DcomLaunch   running   auto
`binary: C:\WINDOWS\system32\svchost -k DcomLaunch
*DHCP Client   Dhcp   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
`binary: C:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager   dmserver   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client   Dnscache   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service   ERSvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log   Eventlog   running   auto
`binary: C:\WINDOWS\system32\services.exe
*COM+ Event System   EventSystem   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*F-Prot Antivirus Update Monitor   F-Prot Antivirus Upd   -   disabled
`binary: "C:\Program Files\FSI\F-Prot\fpavupdm.exe"
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Help and Support   helpsvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access   HidServ   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*HTTP SSL   HTTPFilter   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
`binary: C:\WINDOWS\System32\imapi.exe
*Server   lanmanserver   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation   lanmanworkstation   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper   LmHosts   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger   Messenger   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
`binary: C:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator   MSDTC   -   on demand
`binary: C:\WINDOWS\System32\msdtc.exe
*Windows Installer   MSIServer   -   on demand
`binary: C:\WINDOWS\system32\msiexec.exe /V
*Network DDE   NetDDE   -   disabled
`binary: C:\WINDOWS\system32\netdde.exe
*Network DDE DSDM   NetDDEdsdm   -   disabled
`binary: C:\WINDOWS\system32\netdde.exe
*Net Logon   Netlogon   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Network Connections   Netman   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA)   Nla   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider   NtLmSsp   -   on demand
`binary: C:\WINDOWS\System32\lsass.exe
*Removable Storage   NtmsSvc   -   on demand
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Plug and Play   PlugPlay   running   auto
`binary: C:\WINDOWS\system32\services.exe
*IPSEC Services   PolicyAgent   running   auto
`binary: C:\WINDOWS\System32\lsass.exe
*Protected Storage   ProtectedStorage   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager   RasAuto   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager   RasMan   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
`binary: C:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access   RemoteAccess   -   disabled
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
`binary: C:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC)   RpcSs   running   auto
`binary: C:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP   RSVP   -   on demand
`binary: C:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager   SamSs   running   auto
`binary: C:\WINDOWS\system32\lsass.exe
*Smart Card   SCardSvr   -   on demand
`binary: C:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler   Schedule   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon   seclogon   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification   SENS   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Windows Firewall/Internet Connection Sharing (I   SharedAccess   running   auto
`CS)
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection   ShellHWDetection   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Print Spooler   Spooler   running   auto
`binary: C:\WINDOWS\system32\spoolsv.exe
*System Restore Service   srservice   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service   SSDPSRV   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA)   stisvc   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider   SwPrv   -   on demand
`binary: C:\WINDOWS\System32\dllhost.exe /Processid:{825FD386-7785-47E3-89B3-8FB296E3B64C}
*Performance Logs and Alerts   SysmonLog   -   on demand
`binary: C:\WINDOWS\system32\smlogsvc.exe
*Telephony   TapiSrv   running   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services   TermService   running   on demand
`binary: C:\WINDOWS\System32\svchost -k DComLaunch
*Themes   Themes   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client   TrkWks   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host   upnphost   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply   UPS   -   on demand
`binary: C:\WINDOWS\System32\ups.exe
*Volume Shadow Copy   VSS   -   on demand
`binary: C:\WINDOWS\System32\vssvc.exe
*Windows Time   W32Time   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WebClient   WebClient   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation   winmgmt   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Portable Media Serial Number   WmdmPmSp   -   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter   WmiApSrv   -   on demand
`binary: C:\WINDOWS\System32\wbem\wmiapsrv.exe
*Security Center   wscsvc   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Automatic Updates   wuauserv   running   auto
`binary: C:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration   WZCSVC   running   auto
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Provisioning Service   xmlprov   -   on demand
`binary: C:\WINDOWS\System32\svchost.exe -k netsvcs
»NT Kernel- and FS-drivers
*Abiosdsk   Abiosdsk   -   disabled
`binary:
*abp480n5   abp480n5   -   disabled
`binary:
*Microsoft ACPI Driver   ACPI   running   boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC   ACPIEC   -   disabled
`binary:
*adpu160m   adpu160m   -   disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller   aec   -   on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment   AFD   running   system
`binary: \SystemRoot\System32\drivers\afd.sys
*Aha154x   Aha154x   -   disabled
`binary:
*aic78u2   aic78u2   -   disabled
`binary:
*aic78xx   aic78xx   -   disabled
`binary:
*AliIde   AliIde   -   disabled
`binary:
*AMD K7 Processor Driver   AmdK7   running   system
`binary: System32\DRIVERS\amdk7.sys
*amsint   amsint   -   disabled
`binary:
*asc   asc   -   disabled
`binary:
*asc3350p   asc3350p   -   disabled
`binary:
*asc3550   asc3550   -   disabled
`binary:
*RAS Asynchronous Media Driver   AsyncMac   -   on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller   atapi   running   boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk   Atdisk   -   disabled
`binary:
*ati2mtag   ati2mtag   running   on demand
`binary: System32\DRIVERS\ati2mtag.sys
*ATM ARP Client Protocol   Atmarpc   -   on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver   audstub   running   on demand
`binary: System32\DRIVERS\audstub.sys
*Beep   Beep   running   system
`binary:
*cbidf2k   cbidf2k   -   disabled
`binary:
*cd20xrnt   cd20xrnt   -   disabled
`binary:
*Cdaudio   Cdaudio   -   system
`binary:
*Cdfs   Cdfs   running   disabled
`binary:
*CD-ROM Driver   Cdrom   running   system
`binary: System32\DRIVERS\cdrom.sys
*Changer   Changer   -   system
`binary:
*CmdIde   CmdIde   -   disabled
`binary:
*C-Media WDM Audio Interface   cmuda   running   on demand
`binary: system32\drivers\cmuda.sys
*Cpqarray   Cpqarray   -   disabled
`binary:
*dac960nt   dac960nt   -   disabled
`binary:
*Disk Driver   Disk   running   boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot   dmboot   -   disabled
`binary: System32\drivers\dmboot.sys
*dmio   dmio   -   disabled
`binary: System32\drivers\dmio.sys
*dmload   dmload   -   disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer   DMusic   -   on demand
`binary: system32\drivers\DMusic.sys
*dpti2o   dpti2o   -   disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler   drmkaud   -   on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat   Fastfat   running   disabled
`binary:
*Floppy Disk Controller Driver   Fdc   running   on demand
`binary: System32\DRIVERS\fdc.sys
*Fips   Fips   running   system
`binary:
*Floppy Disk Driver   Flpydisk   running   on demand
`binary: System32\DRIVERS\flpydisk.sys
*FltMgr   FltMgr   running   boot
`binary: \SystemRoot\system32\drivers\fltmgr.sys
*FPA_RTP   FPA_RTP   running   boot
`binary: \SystemRoot\system32\Drivers\FSTOPW.SYS
*Volume Manager Driver   Ftdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Generic Packet Classifier   Gpc   running   on demand
`binary: System32\DRIVERS\msgpc.sys
*hpn   hpn   -   disabled
`binary:
*HTTP   HTTP   running   on demand
`binary: System32\Drivers\HTTP.sys
*i2omgmt   i2omgmt   -   system
`binary:
*i2omp   i2omp   -   disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver   i8042prt   running   system
`binary: System32\DRIVERS\i8042prt.sys
*CD-Burning Filter Driver   Imapi   -   system
`binary: System32\DRIVERS\imapi.sys
*ini910u   ini910u   -   disabled
`binary:
*IntelIde   IntelIde   -   disabled
`binary:
*IPv6 Windows Firewall Driver   ip6fw   -   on demand
`binary: system32\drivers\ip6fw.sys
*IP Traffic Filter Driver   IpFilterDriver   -   on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver   IpInIp   -   on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator   IpNat   running   on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver   IPSec   running   system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service   IRENUM   -   on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver   isapnp   running   boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver   Kbdclass   running   system
`binary: System32\DRIVERS\kbdclass.sys
*Microsoft Kernel Wave Audio Mixer   kmixer   running   on demand
`binary: system32\drivers\kmixer.sys
*KSecDD   KSecDD   running   boot
`binary:
*lbrtfdc   lbrtfdc   -   system
`binary:
*mnmdd   mnmdd   running   system
`binary:
*Modem   Modem   -   on demand
`binary:
*Mouse Class Driver   Mouclass   running   system
`binary: System32\DRIVERS\mouclass.sys
*Mount Point Manager   MountMgr   running   boot
`binary:
*mraid35x   mraid35x   -   disabled
`binary:
*WebDav Client Redirector   MRxDAV   running   on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb   MRxSmb   running   system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs   Msfs   running   system
`binary:
*Microsoft Streaming Service Proxy   MSKSSRV   -   on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy   MSPCLOCK   -   on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy   MSPQM   -   on demand
`binary: system32\drivers\MSPQM.sys
*Microsoft System Management BIOS Driver   mssmbios   running   on demand
`binary: System32\DRIVERS\mssmbios.sys
*Mup   Mup   running   boot
`binary:
*NDIS System Driver   NDIS   running   boot
`binary:
*Remote Access NDIS TAPI Driver   NdisTapi   running   on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol   Ndisuio   running   on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver   NdisWan   running   on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy   NDProxy   running   on demand
`binary:
*NetBIOS Interface   NetBIOS   running   system
`binary: System32\DRIVERS\netbios.sys
*NetBios over Tcpip   NetBT   running   system
`binary: System32\DRIVERS\netbt.sys
*Npfs   Npfs   running   system
`binary:
*Ntfs   Ntfs   -   disabled
`binary:
*Null   Null   running   system
`binary:
*IPX Traffic Filter Driver   NwlnkFlt   -   on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver   NwlnkFwd   -   on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*Parallel port driver   Parport   running   on demand
`binary: System32\DRIVERS\parport.sys
*Partition Manager   PartMgr   running   boot
`binary:
*ParVdm   ParVdm   running   auto
`binary:
*PCANDIS5 Protocol Driver   PCANDIS5   running   on demand
`binary: \??\C:\WINDOWS\System32\PCANDIS5.SYS
*PCI Bus Driver   PCI   running   boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump   PCIDump   -   system
`binary:
*PCIIde   PCIIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\pciide.sys
*Pcmcia   Pcmcia   -   disabled
`binary:
*PDCOMP   PDCOMP   -   on demand
`binary:
*PDFRAME   PDFRAME   -   on demand
`binary:
*PDRELI   PDRELI   -   on demand
`binary:
*PDRFRAME   PDRFRAME   -   on demand
`binary:
*perc2   perc2   -   disabled
`binary:
*perc2hib   perc2hib   -   disabled
`binary:
*Microsoft IntelliPoint Filter Driver   Point32   running   on demand
`binary: System32\DRIVERS\point32.sys
*WAN Miniport (PPTP)   PptpMiniport   running   on demand
`binary: System32\DRIVERS\raspptp.sys
*QoS Packet Scheduler   PSched   running   on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver   Ptilink   running   on demand
`binary: System32\DRIVERS\ptilink.sys
*ql1080   ql1080   -   disabled
`binary:
*Ql10wnt   Ql10wnt   -   disabled
`binary:
*ql12160   ql12160   -   disabled
`binary:
*ql1240   ql1240   -   disabled
`binary:
*ql1280   ql1280   -   disabled
`binary:
*Remote Access Auto Connection Driver   RasAcd   running   system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP)   Rasl2tp   running   on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver   RasPppoe   running   on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel   Raspti   running   on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss   Rdbss   running   system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD   RDPCDD   running   system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD   RDPWD   -   on demand
`binary:
*Digital CD Audio Playback Filter Driver   redbook   running   system
`binary: System32\DRIVERS\redbook.sys
*Secdrv   Secdrv   running   auto
`binary: System32\DRIVERS\secdrv.sys
*Serenum Filter Driver   serenum   running   on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver   Serial   running   system
`binary: System32\DRIVERS\serial.sys
*Sfloppy   Sfloppy   -   system
`binary:
*Simbad   Simbad   -   disabled
`binary:
*SIS AGP Bus Filter   sisagp   running   boot
`binary: \SystemRoot\System32\DRIVERS\sisagp.sys
*Sparrow   Sparrow   -   disabled
`binary:
*Microsoft Kernel Audio Splitter   splitter   -   on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver   sr   running   boot
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv   Srv   running   on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver   swenum   running   on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer   swmidi   -   on demand
`binary: system32\drivers\swmidi.sys
*symc810   symc810   -   disabled
`binary:
*symc8xx   symc8xx   -   disabled
`binary:
*sym_hi   sym_hi   -   disabled
`binary:
*sym_u3   sym_u3   -   disabled
`binary:
*Microsoft Kernel System Audio Device   sysaudio   running   on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver   Tcpip   running   system
`binary: System32\DRIVERS\tcpip.sys
*tdim   tdim   running   auto
`binary: \??\C:\WINDOWS\System32\drivers\tdim.sys
*TDPIPE   TDPIPE   -   on demand
`binary:
*TDTCP   TDTCP   -   on demand
`binary:
*Terminal Device Driver   TermDD   running   system
`binary: System32\DRIVERS\termdd.sys
*TosIde   TosIde   -   disabled
`binary:
*Udfs   Udfs   -   disabled
`binary:
*ultra   ultra   -   disabled
`binary:
*Microcode Update Driver   Update   running   on demand
`binary: System32\DRIVERS\update.sys
*Microsoft USB 2.0 Enhanced Host Controller Mini   usbehci   running   on demand
`port Driver
`binary: System32\DRIVERS\usbehci.sys
*Compaq 11 Mbps Wireless USB Adapter   USBFVNETA   running   on demand
`binary: System32\DRIVERS\vnetusba.sys
*USB2 Enabled Hub   usbhub   running   on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB Open Host Controller Miniport Dri   usbohci   running   on demand
`ver
`binary: System32\DRIVERS\usbohci.sys
*Microsoft USB Universal Host Controller Minipor   usbuhci   running   on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*VGA Display Controller.   VgaSave   running   system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde   ViaIde   -   disabled
`binary:
*VolSnap   VolSnap   running   boot
`binary:
*Remote Access IP ARP Driver   Wanarp   running   on demand
`binary: System32\DRIVERS\wanarp.sys
*WDICA   WDICA   -   on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver   wdmaud   running   on demand
`binary: system32\drivers\wdmaud.sys
»Application specific

Thank you in advance for any help.

guestolo · « **Reply #2 on:** April 16, 2005, 01:46:33 AM »

==Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup
Install for now, don't run a scan yet

From my signature below, download and save too desktop CWShredder.exe
Don't run it yet

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Find and delete these files if found
C:\WINDOWS\stsheets.dat <-file
C:\WINDOWS\SYSTEM32\DRIVERS\TDIM.SYS <-file

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't Log off

==Open CWShredder.exe and click the FIX button, let it FIX whatever it finds

Restart back to Normal mode and post back a fresh hijackthis log

Guest · « **Reply #3 on:** April 16, 2005, 03:11:43 PM »

Okay. I followed your instructions and here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:07:17 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\HijackThis.exe

O4 - Global Startup: Compaq Wireless Configuration.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109996472497
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Thank you for helping.

joannasmom · « **Reply #4 on:** April 16, 2005, 03:13:48 PM »

Okay. I followed your instructions and here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:07:17 PM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\HijackThis.exe

O4 - Global Startup: Compaq Wireless Configuration.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109996472497
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Thank you for helping.

guestolo · « **Reply #5 on:** April 16, 2005, 06:23:23 PM »

Your log looks good
You can go back and hide hidden files and folders now

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well

TheTechGuide Forum

News:

Author Topic: Hijacked browser (Read 1574 times)

joannasmom

Hijacked browser

joannasmom

Hijacked browser

guestolo

Hijacked browser

Guest

Hijacked browser

joannasmom

Hijacked browser

guestolo

Hijacked browser