| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 50035 | 2004-10-08 07:13:00 | Browser Hijack | Pazzin (5084) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 279223 | 2004-10-08 07:13:00 | Hi there I keep getting hijacked and disconnected from the net. I believe it may be a coolweb/shader problem. I have run Nortons, Ad-aware, Spybot and CwShredder all in safe mode. All are current and up to date. I then ran Hijack this and have attached the log below. If anyone could help I would really appreciate it. Logfile of HijackThis v1.98.2 Scan saved at 7:18:34 p.m., on 08/10/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0600) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\SISTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\KHOOKER.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\MIXER.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\SYSTIME.EXE C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\SYSTIME.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\E_S10IC2.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [KeyMaestro] C:\TOOLS\KMAESTRO\KMaestro.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/ O15 - Trusted Zone: *.windupdates.com O16 - DPF: {E3837940-0A7D-11D3-9E70-0080C84BBDBB} (Bank of New Zealand Banking Custom) - www.bnz.co.nz O16 - DPF: {97C402A0-B98E-11D2-9E3F-0080C84BBDBB} (BNZ Internet Banking Images) - www.bnz.co.nz O16 - DPF: NeuronData Classes - www.bnz.co.nz O16 - DPF: BNZ PCIB Classes - www.bnz.co.nz O16 - DPF: BNZ Migration Classes - www.bnz.co.nz |
Pazzin (5084) | ||
| 279224 | 2004-10-08 07:27:00 | What is khooker.exe. D. |
drb1 (4492) | ||
| 279225 | 2004-10-08 07:41:00 | Hi there I'm pretty sure khooker is legitimate, let me know if you know otherwise though. Cheers - Pazzin |
Pazzin (5084) | ||
| 279226 | 2004-10-08 07:53:00 | khooker.exe SiS KHooker 2 SiS Keyboard Daemon. System Tray utility which gets installed by the drivers of the latter day SiS VGA cards. Can cause errors at startup and isn't required Google » www.windowsstartup.com Now we both Know. D. |
drb1 (4492) | ||
| 279227 | 2004-10-08 08:06:00 | If you can stay connected try these programs or do a online scan. have a lok at the faq for spyware removal info too. Stinger stinger (vil.nai.com) A2 here (www.emsisoft.com) Panda Active Scan -- here (www.pandasoftware.com) Housecall -- here (www.trendmicro.com) Trojan scans here (www.anti-trojan.net) Spyware scanhere (www.windowsecurity.com) hth |
johnboy (217) | ||
| 279228 | 2004-10-08 08:22:00 | > If you can stay connected try these programs or do a > online scan. have a lok at the faq for spyware > removal info too. > Stinger > stinger (vil.nai.com) > A2 > here (www.emsisoft.com) > Panda Active Scan -- > her > (www.pandasoftware.com) > Housecall -- > > Trojan scans > [url=http://www.anti-trojan.net/en/onlinecheck.aspx]he > e (www.trendmicro.com > here[/url) > Spyware > scanher > (www.windowsecurity.com) > > hth John, Trojan scan is an IE only site FAI. D. |
drb1 (4492) | ||
| 279229 | 2004-10-08 20:13:00 | I would suggest getting HijackThis to fix the following lines: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 213.159.117.134 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 213.159.117.134 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 213.159.117.134 O14 - IERESET.INF: START_PAGE_URL=http://apcstart.com/ |
tommy (2826) | ||
| 279230 | 2004-10-09 01:59:00 | Hi all Thank you all for your help as it has all been useful. I ran Panda Active Scan and it picked up four items that all the other software didn't. I then ran Hijack this again and cleared out the entries as suggested. All runs fine now and no more hijacks. Thanks again - Pazzin |
Pazzin (5084) | ||
| 1 | |||||