incijalu
2005-11-09, 14:52
when I open internet explorer it opens (in the uppermost blue aert of IE) with
http://www.google.com.au (my home page)very briefly then changes to
http://www.httpwww.mspyc.hop.clickbank.net/rehop
then
http://www.myspywarecleaner.com/sc/?hop=httpwww
which also loads into the address bar and redirects my home page to an ad for myspywarecleaner ( google was changed to http://www.google.com.au./.com in the home page address bar - I deleted the 2nd /.com and this seems to have got me back to google as my home page though I'm not convinced that alone is enough to have got rid of the problem!
have run spybot but it doesn't seem to have got rid of it - tried to update spybot unsuccessfully a couple of times but get !!!badchecksum! is it likely that this hijacker could be blocking spybot? - Not sure where it came from - 3 teenagers also use this pc and despite antivirus (AVAST) windows firewall adaware still got this one - most likely with a download of some sort. Any Idea's on how to get rid of it and could it be specifically targetting spybot to prevent me from updating?
Spybot reports nothing found I've just installed spybot 1.4 from a demo cd which updated ok but reports nothing found
I'm running recently installed (week or 2 ago)Windows XP service pack 2 automatic updates activated (formatted and reinstalled OS after replacing MB and CPU needed to re -authenticate windows)- this only appeared a few days ago
running bitdefender now as I'm typing this which has so far identified (and deleted)
Tojan clicker
exploit win 32 MS
application browser hijacker Nav excel search toolbar
then seemed to hang displaying "update failed"
so will probably have to start it again ,then will try the other on - line scans suggested. I have an extremely slow dial up connection 28kbs - yes we are truly backwards out here in parts of Australia -and believe it or not we're only about 50 miles from the centre of Melbourne and this is the best we can get!
Thought I'd be a bit cheeky and post this in the meanwhile -hope nobody minds - I may have died of old age before I manage to go through the rest of the scans! following is the hijack this logfile
Cheers
Logfile of HijackThis v1.99.1
Scan saved at 9:54:13 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\freeware\antispyware\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [FusionTrayAgent] C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
O4 - HKLM\..\Run: [FusionRemote] C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O15 - Trusted Zone: http://cache.ysbweb.com
O15 - Trusted Zone: http://www.ysbweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131027131156
O17 - HKLM\System\CCS\Services\Tcpip\..\{40D6E775-9427-41BA-82D6-9EDC0B973748}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
http://www.google.com.au (my home page)very briefly then changes to
http://www.httpwww.mspyc.hop.clickbank.net/rehop
then
http://www.myspywarecleaner.com/sc/?hop=httpwww
which also loads into the address bar and redirects my home page to an ad for myspywarecleaner ( google was changed to http://www.google.com.au./.com in the home page address bar - I deleted the 2nd /.com and this seems to have got me back to google as my home page though I'm not convinced that alone is enough to have got rid of the problem!
have run spybot but it doesn't seem to have got rid of it - tried to update spybot unsuccessfully a couple of times but get !!!badchecksum! is it likely that this hijacker could be blocking spybot? - Not sure where it came from - 3 teenagers also use this pc and despite antivirus (AVAST) windows firewall adaware still got this one - most likely with a download of some sort. Any Idea's on how to get rid of it and could it be specifically targetting spybot to prevent me from updating?
Spybot reports nothing found I've just installed spybot 1.4 from a demo cd which updated ok but reports nothing found
I'm running recently installed (week or 2 ago)Windows XP service pack 2 automatic updates activated (formatted and reinstalled OS after replacing MB and CPU needed to re -authenticate windows)- this only appeared a few days ago
running bitdefender now as I'm typing this which has so far identified (and deleted)
Tojan clicker
exploit win 32 MS
application browser hijacker Nav excel search toolbar
then seemed to hang displaying "update failed"
so will probably have to start it again ,then will try the other on - line scans suggested. I have an extremely slow dial up connection 28kbs - yes we are truly backwards out here in parts of Australia -and believe it or not we're only about 50 miles from the centre of Melbourne and this is the best we can get!
Thought I'd be a bit cheeky and post this in the meanwhile -hope nobody minds - I may have died of old age before I manage to go through the rest of the scans! following is the hijack this logfile
Cheers
Logfile of HijackThis v1.99.1
Scan saved at 9:54:13 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS\Probe\ASUSPROB.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\freeware\antispyware\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [FusionTrayAgent] C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
O4 - HKLM\..\Run: [FusionRemote] C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SMC2862W-G EZ Connect g 802.11g Wireless USB Utility.lnk = C:\Program Files\SMC\SMC2862W-G EZ Connect g 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O15 - Trusted Zone: http://cache.ysbweb.com
O15 - Trusted Zone: http://www.ysbweb.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131027131156
O17 - HKLM\System\CCS\Services\Tcpip\..\{40D6E775-9427-41BA-82D6-9EDC0B973748}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe