TechSpot

Browser hijack and hijackthis log

By Ivan Moore
Jan 5, 2005
Topic Status:
Not open for further replies.
  1. Sorry if this I'm the 100th person with this problem, but I've done what i could by reading other threads. I've been hijacked by navcancl, I've downloaded hijackthis, put it in its own directory, rebooted because i'd been trying to fix the prob with adaware SE, to no avail...

    Here's the log... what to delete? Thankyou thankyou for your help in advance, whoever you all are.
     

    Attached Files:

    • hjt.txt
      File size:
      10.4 KB
      Views:
      5
  2. Spike

    Spike TS Rookie Posts: 2,371

    Only scanned over it, but saw these, and they aren't good news. I'm afraid I'm going to sleep for a moment. so I can't help further, but I would advise you to try installing and running spybot search and destroy, and then posting a new HJT log.

    Have you followed the instructions in THIS thread?

    **********************************************************

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    - "My Way" Browser hijack - possibly CWS related


    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll - ietlbass32.dll - is a cool web search parasite variant

    O4 - HKLM\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe - W32.Beagle Mass Mailer worm

    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus -eacceleration stops info is not spyware, but is undesireable.

    O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe - suspicious. Corresponding entrie at C:\Program Files\DeskAd Service\DeskAdServ.exe

    O13 - WWW. Prefix: http://ehttp.cc/? associated with hugesearch.net and Spyware.CWSAddClass.B

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab - more nasty stuff here.

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab - More horrible stuff.

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) - Adware.ClickDLoader.B

    ***************************************************************

    I don't think you're having much luck here. :blush: :blackeye:
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Nice try Spike, but by no means complete.

    Ivan Moore,
    It is incredible how INFESTED your PC is! Every single O4 is another virus/trojan/you name it!

    Go to my post here and follow it EXACTLY, and I mean EXACTLY
    How to remove Begin2Search / Coolwebsearch

    After you have installed/updated/done everything there,

    Boot in Safe Mode

    Uninstall anything to do with:
    C:\Program Files\DeskAd Service
    C:\PROGRA~1\COMMON~1\WinTools
    C:\Program Files\Common Files\eAcceleration\

    Run HJT on its own and let it "fix" (whatever is left over after the first post above):

    C:\Program Files\DeskAd Service\DeskAdServ.exe
    C:\WINDOWS\Help\SBSI\svrhard.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [logsys32host] C:\WINDOWS\System32\diagsmss32.exe
    O4 - HKLM\..\Run: [dirhostrun] C:\WINDOWS\System32\spooldirhost.exe
    O4 - HKLM\..\Run: [sysdisc] C:\WINDOWS\System32\smss32.exe
    O4 - HKLM\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe
    O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
    O4 - HKLM\..\Run: [*javadoc] C:\WINDOWS\msagent\javadoc.exe
    O4 - HKLM\..\Run: [*acweb] C:\WINDOWS\Tasks\acweb.exe
    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
    O4 - HKLM\..\Run: [smss32x] C:\WINDOWS\System32\spool32win.exe %srun%
    O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
    O4 - HKCU\..\Run: [hostdirdisc] C:\WINDOWS\System32\diagsmss32.exe
    O4 - HKCU\..\Run: [cryptrun] C:\WINDOWS\System32\spooldirhost.exe
    O4 - HKCU\..\Run: [crypt] C:\WINDOWS\System32\smss32.exe
    O4 - HKCU\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe
    O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
    O4 - HKCU\..\Run: [logexpolerx] C:\WINDOWS\System32\spool32win.exe %srun%
    O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Help\SBSI\svrhard.exe ren time:1104653397
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O13 - WWW. Prefix: http://ehttp.cc/?
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {14578416-1111-1111-1111-111111411123} - file://C:\Documents and Settings\Ivan Moore\Desktop\1\calc.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28177.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    Reboot again in Safe mode. Make a new HJT-log and post it here as a .txt file
     
  4. Spike

    Spike TS Rookie Posts: 2,371

    :D I didn't think so.

    I'm far from an expert on HJT logs, but I scanned over that and there were quite a few alarm bells even for me, so I looked at what jumped out at me a bit more closely. I didn't have the heart to say that that's one of the most infested PC's I've ever seen in the last year of being here on TS. Thanks for the encouragement though :)

    On another note, for my own knowledge, I thought all that messenger and MSN stuff at the bottom of the log was related to the MSN messenger game activeX controls. Is this the case, or is there more to them than I know about?
     
  5. Ivan Moore

    Ivan Moore TS Rookie Topic Starter

    Thanks Spike and Blackstuff. I appreciate your help and your honesty, and I'm not put out by your comments at all. Yes, my computer is messed up. I rely on the thing for work, but not for speed. I knew it was clogged with stuff, and was starting to get lots of ****yiiiii mails, but things didn't become truly intolerable until I got hijacked. I'm sorry if my digital cleanliness is offputting.

    I did everything you said. Here is the latest txt. The mails have stopped, I think. The computer is certainly running better, and I am no longer blocked on IE. And to my layman eyes, most of the badstuff appears to have been fixed.

    If you can give me the rundown, and also... what do I do to keep clean? Which AV product do you recommend, and which of the various bots and cleaners that I used to get this far should I use?

    Again, I really, really appreciate your help. Thank you.

    whoops, forgot to attach... hey it's 6KB instead of 11 now!! :giddy:
     
  6. Ivan Moore

    Ivan Moore TS Rookie Topic Starter

    One other thing...

    Before I did all of this stuff that the two of you have suggested, my efforts to rid myself of this bowser hijack amounted to running Ad-aware SE and my AV scan, both repeatedly.

    I run and regularly use SPSS for Windows on my computer, a statistical analysis program. Trying to start SPSS now, I get the following error message...

    16 bit Windows Subsystem

    C:\Windows\System32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose "Close" to terminate the application.


    There is a Close and an Ignore button. Pressing either makes the error box go away, but no program runs in either case.

    I've tried reloading SPSS, but no luck.

    Any suggestions?

    Thanks again,

    Ivan
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    In Safe Mode, let HJT "fix":

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ktuu.com/
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    Run those programs from my post (Adaware and Spybot) regularly (updated!).
    Keep your AV-definitions up-to-date.
    Run full scans with all three at least once a week.

    For the non-running 16-bit stuff, see here: http://www.techspot.com/vb/topic18653.html
     
  8. Ivan Moore

    Ivan Moore TS Rookie Topic Starter

    thx mr guinness...
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.