Browser hijack and hijackthis log

Status
Not open for further replies.
Sorry if this I'm the 100th person with this problem, but I've done what I could by reading other threads. I've been hijacked by navcancl, I've downloaded hijackthis, put it in its own directory, rebooted because I'd been trying to fix the prob with adaware SE, to no avail...

Here's the log... what to delete? Thankyou thankyou for your help in advance, whoever you all are.
 

Attachments

  • hjt.txt
    10.4 KB · Views: 5
Only scanned over it, but saw these, and they aren't good news. I'm afraid I'm going to sleep for a moment. so I can't help further, but I would advise you to try installing and running spybot search and destroy, and then posting a new HJT log.

Have you followed the instructions in THIS thread?

**********************************************************

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
- "My Way" Browser hijack - possibly CWS related


O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll - ietlbass32.dll - is a cool web search parasite variant

O4 - HKLM\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe - W32.Beagle Mass Mailer worm

O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus -eacceleration stops info is not spyware, but is undesireable.

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe - suspicious. Corresponding entrie at C:\Program Files\DeskAd Service\DeskAdServ.exe

O13 - WWW. Prefix: http://ehttp.cc/? associated with hugesearch.net and Spyware.CWSAddClass.B

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab - more nasty stuff here.

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab - More horrible stuff.

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) - Adware.ClickDLoader.B

***************************************************************

I don't think you're having much luck here. :blush: :blackeye:
 
Nice try Spike, but by no means complete.

Ivan Moore,
It is incredible how INFESTED your PC is! Every single O4 is another virus/trojan/you name it!

Go to my post here and follow it EXACTLY, and I mean EXACTLY
How to remove Begin2Search / Coolwebsearch

After you have installed/updated/done everything there,

Boot in Safe Mode

Uninstall anything to do with:
C:\Program Files\DeskAd Service
C:\PROGRA~1\COMMON~1\WinTools
C:\Program Files\Common Files\eAcceleration\

Run HJT on its own and let it "fix" (whatever is left over after the first post above):

C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\WINDOWS\Help\SBSI\svrhard.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [logsys32host] C:\WINDOWS\System32\diagsmss32.exe
O4 - HKLM\..\Run: [dirhostrun] C:\WINDOWS\System32\spooldirhost.exe
O4 - HKLM\..\Run: [sysdisc] C:\WINDOWS\System32\smss32.exe
O4 - HKLM\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [*javadoc] C:\WINDOWS\msagent\javadoc.exe
O4 - HKLM\..\Run: [*acweb] C:\WINDOWS\Tasks\acweb.exe
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [smss32x] C:\WINDOWS\System32\spool32win.exe %srun%
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKCU\..\Run: [hostdirdisc] C:\WINDOWS\System32\diagsmss32.exe
O4 - HKCU\..\Run: [cryptrun] C:\WINDOWS\System32\spooldirhost.exe
O4 - HKCU\..\Run: [crypt] C:\WINDOWS\System32\smss32.exe
O4 - HKCU\..\Run: [wersds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKCU\..\Run: [logexpolerx] C:\WINDOWS\System32\spool32win.exe %srun%
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Help\SBSI\svrhard.exe ren time:1104653397
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14578416-1111-1111-1111-111111411123} - file://C:\Documents and Settings\Ivan Moore\Desktop\1\calc.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28177.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Reboot again in Safe mode. Make a new HJT-log and post it here as a .txt file
 
realblackstuff said:
Nice try Spike, but by no means complete.

:D I didn't think so.

I'm far from an expert on HJT logs, but I scanned over that and there were quite a few alarm bells even for me, so I looked at what jumped out at me a bit more closely. I didn't have the heart to say that that's one of the most infested PC's I've ever seen in the last year of being here on TS. Thanks for the encouragement though :)

On another note, for my own knowledge, I thought all that messenger and MSN stuff at the bottom of the log was related to the MSN messenger game activeX controls. Is this the case, or is there more to them than I know about?
 
Thanks Spike and Blackstuff. I appreciate your help and your honesty, and I'm not put out by your comments at all. Yes, my computer is messed up. I rely on the thing for work, but not for speed. I knew it was clogged with stuff, and was starting to get lots of ****yiiiii mails, but things didn't become truly intolerable until I got hijacked. I'm sorry if my digital cleanliness is offputting.

I did everything you said. Here is the latest txt. The mails have stopped, I think. The computer is certainly running better, and I am no longer blocked on IE. And to my layman eyes, most of the badstuff appears to have been fixed.

If you can give me the rundown, and also... what do I do to keep clean? Which AV product do you recommend, and which of the various bots and cleaners that I used to get this far should I use?

Again, I really, really appreciate your help. Thank you.

whoops, forgot to attach... hey it's 6KB instead of 11 now!! :giddy:
 
One other thing...

Before I did all of this stuff that the two of you have suggested, my efforts to rid myself of this bowser hijack amounted to running Ad-aware SE and my AV scan, both repeatedly.

I run and regularly use SPSS for Windows on my computer, a statistical analysis program. Trying to start SPSS now, I get the following error message...

16 bit Windows Subsystem

C:\Windows\System32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose "Close" to terminate the application.


There is a Close and an Ignore button. Pressing either makes the error box go away, but no program runs in either case.

I've tried reloading SPSS, but no luck.

Any suggestions?

Thanks again,

Ivan
 
In Safe Mode, let HJT "fix":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ktuu.com/
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Run those programs from my post (Adaware and Spybot) regularly (updated!).
Keep your AV-definitions up-to-date.
Run full scans with all three at least once a week.

For the non-running 16-bit stuff, see here: https://www.techspot.com/vb/topic18653.html
 
Status
Not open for further replies.
Back