| View previous topic :: View next topic |
| Author |
Message |
sponge_cam
Cadet
Joined: May 21, 2004
Posts: 4
Location: UK
|
 Posted: Fri May 21, 2004 10:46 am Post subject: Hijacked IE |
|
|
Hi, i have just removed the annoying amazingautosearch from a mate of mine computer using spybot search and destroy and hijack this - however there is still one problem. whenever she searches for a web page that doesn't exist she now gets some wierd search page come up as opposed to the standard ie 6 - cannot find server / this page cannot be displayed
any ideas on how i can fix this for her? i don't know if this is a result of the amazingautosearch stuff or not. |
|
| Back to top |
|
 |
sponge_cam
Cadet
Joined: May 21, 2004
Posts: 4
Location: UK
|
| Posted: Sat May 22, 2004 6:08 am Post subject: |
|
|
| can no one help me here? is this even the right forum to be using? what do i need to edit in the registry or in explorer settings to get it back to normal? |
|
| Back to top |
|
|
lilliebet65
Site Moderator
Premium Member
Joined: Dec 03, 2003
Posts: 2093
Location: UK
|
| Posted: Sat May 22, 2004 6:50 am Post subject: |
|
|
Hi sponge_cam
It might be a good idea to post the latest Hijack This Log here. One of our experts will have a look for you. 
_________________
I'm Spartacus! |
|
| Back to top |
|
|
sponge_cam
Cadet
Joined: May 21, 2004
Posts: 4
Location: UK
|
| Posted: Sat May 22, 2004 11:42 am Post subject: |
|
|
Logfile of HijackThis v1.97.7
Scan saved at 16:32:53, on 22/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\thunk hope\HoldMediaShow.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\BCDC++\DCPlusPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Claire Ross\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.hermes.cam.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Claire's Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/info/homepage-o
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1288AF43-1CE2-EBA0-32D8-A85E795D4155} - C:\PROGRA~1\SEEKPO~1\kind ford.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
========
the following result was not here when i last ran the program
========
O3 - Toolbar: Platformjugsdefault - {25EB878B-F6F6-13D3-7CB3-EB17C61640E0} - C:\PROGRA~1\SEEKPO~1\kind ford.dll
========
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
========
does anyone know what this program is? - i can't find reference to it anywhere - i don't know if its spyware or part of the computer's operating system provided by hp
========
O4 - HKLM\..\Run: [Mpegbird] C:\PROGRA~1\thunk hope\HoldMediaShow.exe
========
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/homepage-o
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab |
|
| Back to top |
|
|
Yellowhammer
Security Expert
Premium Member
Joined: Jan 30, 2004
Posts: 2344
Location: USA
|
| Posted: Sat May 22, 2004 12:11 pm Post subject: |
|
|
First move hijackthis to a folder. It will clutter your desktop with backup files if you don't.
Right click on the taskbar and open task manager.
Find the following in the applications or processes tab and end task on it:
HoldMediaShow.exe
Then close all windows and have hijackthis fix the following:
O2 - BHO: (no name) - {1288AF43-1CE2-EBA0-32D8-A85E795D4155} - C:\PROGRA~1\SEEKPO~1\kind ford.dll
O3 - Toolbar: Platformjugsdefault - {25EB878B-F6F6-13D3-7CB3-EB17C61640E0} - C:\PROGRA~1\SEEKPO~1\kind ford.dll
O4 - HKLM\..\Run: [Mpegbird] C:\PROGRA~1\thunk hope\HoldMediaShow.exe
Then delete the folder in C:\Program Files that begins with SEEKPO..
Delete folder C:\Program Files\thunk hope
Boot to safe mode if you cannot delete them in normal mode.
Then
Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........
From main window :Click "Start" then " Activate in-depth scan"
then......
click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"
then.........
Click the "Tweak" button.
Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"
Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"
then...... click "proceed" to save your settings.
Now to scan it´s just to click the "Next" button.
When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.
You need to get to the windows updates site and get all the critical updates. You should be at SP1 for both windows xp and IE.
_________________
Yellowhammer
5 steps to protect yourself from malware here.
Do not PM me with hijackthis logs. |
|
| Back to top |
|
|
sponge_cam
Cadet
Joined: May 21, 2004
Posts: 4
Location: UK
|
| Posted: Sat May 22, 2004 6:24 pm Post subject: |
|
|
right that is all sorted thanks ppl
i hadn't run adaware because i don't usually have it find anything spybot doesn't get on my own machine - however my own machine is up to date and fully firewalled etc - hence it never occured to me to use it - doh!
thanks for the help |
|
| Back to top |
|
|
Yellowhammer
Security Expert
Premium Member
Joined: Jan 30, 2004
Posts: 2344
Location: USA
|
| Posted: Sat May 22, 2004 6:32 pm Post subject: |
|
|
Your welcome
_________________
Yellowhammer
5 steps to protect yourself from malware here.
Do not PM me with hijackthis logs. |
|
| Back to top |
|
|
lilliebet65
Site Moderator
Premium Member
Joined: Dec 03, 2003
Posts: 2093
Location: UK
|
| Posted: Sat May 22, 2004 6:34 pm Post subject: |
|
|
Glad we were able to help.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html
_________________
I'm Spartacus! |
|
| Back to top |
|
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
