A
Angie
My home page seems to have been hijacked by search-for-you.com, have
reset it countless times and deleted everything I can find in the
registry that refers to this but it keeps coming back. Am really fed
up with this and am about to reformat (yuck!) but hoping that someone
will look at my Hijack This log and tell me what, if anything, is safe
to delete etc.
Please.......someone?????
Logfile of HijackThis v1.97.7
Scan saved at 09:38:00, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Angela\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://www.aldi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10}
- (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
-CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program
Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE
/AUTORUN
O4 - HKLM\..\Run: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate
Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos
SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: GetMP3 (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/111.chm::/file.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} -
file://c:\temp\setup1.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38139.4361574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class)
- http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
reset it countless times and deleted everything I can find in the
registry that refers to this but it keeps coming back. Am really fed
up with this and am about to reformat (yuck!) but hoping that someone
will look at my Hijack This log and tell me what, if anything, is safe
to delete etc.
Please.......someone?????
Logfile of HijackThis v1.97.7
Scan saved at 09:38:00, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Angela\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://www.aldi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10}
- (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe
-CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program
Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE
/AUTORUN
O4 - HKLM\..\Run: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate
Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos
SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: GetMP3 (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
ms-its:mhtml:file://c:\nosuch.mht!http://www.toolbars-cash.com/clk/111.chm::/file.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} -
file://c:\temp\setup1.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} -
http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38139.4361574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class)
- http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
hades.axsia-howmar.co.uk,pandora.axsia-howmar.co.uk,zeus.axsia-howmar.co.uk