Hijacker crap, can't find/get rid of it... [Archive] - TribalWar Forums


	TribalWar Forums > TribalWar Community > TW Tech > Hijacker crap, can't find/get rid of it... PDA Hijacker crap, can't find/get rid of it... Ash_Parnal 08-21-2004, 12:22 PM I got some junk on my 'puter after a friend visited, why don't I ever learn? Don't know what it is, but it resets the homepage to some strange search engine, or Google.com.. Also creates a directory on the c: called hlp that contains a launch file for IE. I've tried: Norton Antivirus Symantec F-secure Mcafee (I am desperate!) Panda Adaware SE w. latest updates CWShredder HijackThis Spysweeper Xsoftspy And none of them can find it.. Obviously there is something since it keeps happening. I've deleted all run commands that I can't recognize and deleted all unknown registry keys in the execute range. But, it still happens... Luckily SpySweepers monitor can catch the attempt and stop it, but it still bugs me that it happens! :P Anyone got a suggestion as to a program I can run and see if it finds anything? Don't wanna reformat again.. :) Amadeus 08-21-2004, 01:34 PM AdAware found some stuff for me that other software didn't... Ash_Parnal 08-21-2004, 06:31 PM Adaware doesn't find it.. :\ Ash_Parnal 08-21-2004, 06:53 PM And, I tried commandcentral too.. sheshh... God damnit.. I hope its not a format /s waiting to happen.. :o fatalerror 08-21-2004, 07:01 PM go to download.com, get spybot 1.3 and use all the hosts options and ie tweaks under advanced settings Ash_Parnal 08-21-2004, 07:34 PM Havent tried that one.. will try it asap.. :) Ash_Parnal 08-21-2004, 07:49 PM Hey now, this proggy found some crap... Spex DSO Exploit... But can't remove because its in memory.. Atleast I got the name of the damn thing.. now its time to reboot in safe mode and kill the sucker.. :P Mystikalrush 08-21-2004, 07:58 PM are you sure ur IE isnt defaulted to the site at start up...? Ash_Parnal 08-21-2004, 08:11 PM Yah, its not defaulted there.. its locked at login1.telia.com.. Just is this one registry key that I can't get rid of.. :\ Apparently, the entire thing reloads though at reboot because of it! How annoying.. doesn't delete properly even in safe mode.. Well.. it can't do any harm at the moment, spybot resets the key at each reboot so it doesn't create the directory and file.... and spysweeper prevents it from altering the weblink.. but its always nice to get rid of such crap from your system!!!! Nonie54 08-30-2004, 01:27 PM run all that shit in safemode. -K-Crypt 08-30-2004, 04:48 PM If you are still having probs get hijack this and post up the log. Ash_Parnal 08-31-2004, 03:43 AM Installed FireFox and its working... but everytime I try to use Explorer it starts like 3 processes and voila! Tonsa shit in.. :) Will post hijackthis log.. :P Ash_Parnal 08-31-2004, 10:41 PM Here is the hijack this log.. anyone see anything strange?? Yes, currently using Panda.. it works.. :) Logfile of HijackThis v1.98.2 Scan saved at 04:45:58, on 2004-09-01 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss. exe C:\WINDOWS\system32\winlo gon.exe C:\WINDOWS\system32\servi ces.exe C:\WINDOWS\system32\lsass .exe C:\WINDOWS\system32\svcho st.exe C:\WINDOWS\System32\svcho st.exe C:\WINDOWS\system32\spool sv.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\nvsvc 32.exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\PavProt.exe C:\Program\Delade filer\Panda Software\PavShld\pavprsrv .exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\prevsrv.exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe C:\WINDOWS\system32\Smart scaps.exe C:\Program\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE C:\Program\Logitech\iTouc h\iTouch.exe C:\Program\D-Tools\daemon.exe C:\Program\CyberLink\Powe rVCRII\Agent.exe C:\Program\Logitech\Mouse Ware\system\em_exec.exe C:\Program\NVIDIA Corporation\NvMixer\NVMix erTray.exe C:\WINDOWS\System32\ctfmo n.exe C:\Program\CursorXP\Curso rXP.exe C:\WINDOWS\System32\wuauc lt.exe C:\WINDOWS\explorer.exe C:\Program\Messenger\msms gs.exe C:\Program\eMule\emule.ex e C:\PROGRAM\MOZILL~1\FIREF OX.EXE C:\Program\WinRAR\WinRAR. exe C:\DOCUME~1\WINXP\LOKALA~ 1\Temp\Rar$EX00.485\Hijac kThis.exe R0 - HKCU\Software\Microsoft\I nternet Explorer\Main,Start Page = http://login1.telia.com R0 - HKLM\Software\Microsoft\I nternet Explorer\Main,Start Page = http://login1.telia.com R1 - HKCU\Software\Microsoft\W indows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\I nternet Explorer\Toolbar,LinksFol derName = Länkar O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHel per.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl .dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouc h\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroC heck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb .exe O4 - HKLM\..\Run: [Agent] C:\Program\CyberLink\Powe rVCRII\Agent.exe O4 - HKLM\..\Run: [Remote_Agent] C:\Program\CyberLink\Powe rVCRII\RemoteAgent.exe O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program\AceGain\LiveUp date\LiveUpdate.exe O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMix erTray.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2 _05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmo n.exe O4 - HKCU\..\Run: [CursorXP] C:\Program\CursorXP\Curso rXP.exe O4 - Global Startup: Intellisync Lite for NEC 616.lnk = ? O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Com mon\Bin\WinCinemaMgr.exe O6 - HKCU\Software\Policies\Mi crosoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Mi crosoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjav a.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjav a.dll O9 - Extra button: Corel Network monitor worker - {ED5B4498-5C7A-4EB2-A9F6-09EC246B5850} - (no file) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {ED5B4498-5C7A-4EB2-A9F6-09EC246B5850} - (no file) O9 - Extra button: Corel Network monitor worker - {ED5B4498-5C7A-4EB2-A9F6-09EC246B5850} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {ED5B4498-5C7A-4EB2-A9F6-09EC246B5850} - (no file) (HKCU) O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab O20 - AppInit_DLLs: PAVWAIT.DLL Ash_Parnal 08-31-2004, 10:42 PM Why does the scvhost run several instances tho? And two explorer instances?

vBulletin v3.7.2, Copyright ©2000-2003, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC8