Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: browser and XP firewall hijack

  1. #11
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    It is possible....have you ran any spyware removale tools recently? They can tell you if you have picked up alot of things. Also updating your AV and running it in safe mode will be benificial.
    There are several really good tutorials that cover securing your system:
    http://www.antionline.com/showthread...hreadid=255684
    http://www.antionline.com/showthread...hreadid=255353
    http://www.antionline.com/showthread...hreadid=255443
    Are the 3 latest.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  2. #12
    Junior Member
    Join Date
    Mar 2004
    Posts
    9
    Here is the log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:47:12 PM, on 3/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\r_server.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\aal4fohw.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/Mul...ctComboBox.cab
    O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O16 - DPF: {ED29A481-CD46-43D9-85AA-E6E869DF2214} (MercStats.cStats) - file://C:\Program Files\Mercury\Content\cabs\MercStats.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AD1A0F6B-A512-49DD-AF83-A629A5EB4517}: NameServer = 24.95.227.36,24.95.227.37
    [glowpurple]Provide the Customer with Service that Exceeds their Expectatiions[/glowpurple]

  3. #13
    04 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    This isn't a big deal, but I think most people on AO would rather have this disabled. Search the site for "Disable msmsgs". If your firewall doesn't block it, I think you can receive messenger SPAM.

    Are these sites what you would like them to be? Or are these pages that are set from the hijack?

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/

    Other than that, everything looks ok to me, nothing obvious.

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    excuse me but isnt this Radmin? "C:\WINDOWS\System32\r_server.exe" Have you installed radmin on your computer for remote administration? if not your severly owned

    also "C:\WINDOWS\System32\sysme.exe" gotta go
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #15
    Junior Member
    Join Date
    Mar 2004
    Posts
    9

    Smile

    The urls were good. Zone alarm will take good care of me from now on. I do use the radmin for remote administraiton.

    Thanks for all of the great advice. I will be sure to pass it on.

  6. #16
    just my 2 rupees...

    If I remember correctly, renaming the Messenger folder to something like Messenger_Backup or Messenger_Old seems to work...

    Is it possible/probable that the Real Updater or Moneyside application is downloading junk in the background?

    Also -- just a humble observation -- but why do you have both Money and Quicken installed?

  7. #17
    Use adware.
    It might be spyware on your pc.
    \"If knowledge is power. Why doesn\'t everybody read?\"

  8. #18
    As for money and quicken, those probably have safe uninstalls in the add/remove function of the windows control panel. It's probably safer than hacking away at it with Hijack this. If you actually use it, don't freak out about it because it probably doesn't download anything huge.

    WarTux:
    I have run updated versions of adaware and spybot as well as various other programs all to no avail. Nothing will find it or delete it.

  9. #19
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    LOL.. soda.. I pointed out the exact same thing to WarTux in this thread.
    it seems he doesn't read very well and thinks adaware is the catch all..

  10. #20
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Just some thoughts:

    1) You need to put HijackThis into its own folder . To do so:
    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    2) O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
    This one is a baddie... virus/trojan related.
    Here is how I have seen the experts fix it:
    Click here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste this entry:

    C:\WINDOWS\System32\sysme.exe

    Click 'Exit' when done.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacoolsoftware.net/downloa...setup.exe. Then try TheKillbox again.

    Make sure that you have no other browsers or windows open as this could prevent the fix from working properly.

    If you want to read the actual post that I took this from you can view it here

    3) Here are some things that should be fixed with HijackThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    4) These are things that you don't need running on startup- they hog system resources:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    To fix this: 1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •