#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    1
    Rep Power
    0

    Unhappy My son-in-law's been hijacked. Need help


    I am attempting to clear up a big mess on my son-in-laws computer. I managed to get rid of a mess of viruses and a couple worms and trojans.
    Can you help me with the Internet Browser which appears to have been hijacked. I've run Hijack This and this is the log. What should I get rid of?

    Thanks


    Logfile of HijackThis v1.97.7
    Scan saved at 9:04:57 PM, on 5/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://greatsearch.biz/
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Owner\Application Data\winov\winov32.dll
    O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\Owner\Application Data\winov\ntzp.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Owner\Application Data\winov\msiesh.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
    O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
    O4 - HKLM\..\RunServices: [Generic Service Process] serv1ces.exe
    O4 - HKLM\..\RunServices: [7626BEFF] C:\WINDOWS\System32\tdqktouluftyin.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\sdkqh32.dll,Install
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: SideFind (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...orter.cab?RND=
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26c88aa5105f714...E601Arcade.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    2
    Rep Power
    0

    Post spybot-sd


    I'm not familiar with hijack-this, but I've used Spybot-Search&Destroy and it's a good quality, free program. Ad-Aware is supposed to be a bit easier, though.

    here's a page with some general info and a link for both.
    http://www.siena.edu/antivirus/Spyware/default.html

    I strongly recommend NOT using Internet Exploder. (Most MS products have a poor track record compared to alternatives!)

    Instead, use Mozilla Firefox (wierd name, but cool browser). It's at http://www.mozilla.org/products/firefox/ After it's installed, I recommend removing the internet explorer icon from the desktop/quick start bar/start menu/etc so he can't get hijacked again.

    As far as I know, neither Mozilla (formerly Netscape) nor any derivatives are susceptible to hijacking, or many other vulnerabilities that IE suffers from.

    questions? mail me bobemitcATyahoo.com (note anti-spam: AT=@)

    Good luck
    Bob
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Location
    Regina, SK. Canada
    Posts
    9
    Rep Power
    0
    Originally Posted by bobemitc
    As far as I know, neither Mozilla (formerly Netscape) nor any derivatives are susceptible to hijacking, or many other vulnerabilities that IE suffers from.
    Mozilla is not formerly Netscape..infact Mozilla has been around longer then Netscape, Netscape is based on the Mozilla framework. and both are susceptible to hijacking.

    adaware (available at http://www.lavasoftusa.com or http://www.lavasoft.de) and spybot search and destroy are somewhat successfull at removing most of the hijack crap.

    I've heard good things about hijack-this...never used it myself though....
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    2
    Rep Power
    0
    I thought that if he'd heard of one of the two, Netscape was much more well-known.

    As for hijacking, I wasn't aware any current malware could do it; but the important point is that because IE is the dominant software, it is far more attractive to the donkey-holes who write hijackers. More attractive = more common.

    Still more important, the son-in-law should learn not to install free stuff indiscriminately. Chances are, he heard about the malware through an ad. Ads cost money. So if the software really *IS* free, how did they pay for the ad? It is sooooo obvious.... It's too bad that 'net common sense can be so hard to learn.

    Bob

IMN logo majestic logo threadwatch logo seochat tools logo