Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
possible ad/spyware ???
Options
-
27-06-2004 6:09pm#1Mods feel free to move this if you think there is a better place for it.
ok where to start...
About 2 weeks ago my dad noticed a problem with internet explorer on his hard drive, (we have a dual boot system setup) running XP Pro SP1 and MSIE 6 SP1.
basically what is happening is that the homepage seems to keep on changing to about:blank and loads up a website with smart search on it and it try's to download a dialler.
first thought was ad/spyware and so i ran ad-aware and got rid of the 3 or 4 entries it found. thought nothing more of it and reset the homepage back to yahoo. the next day my dad went to go online and the same web page loaded up.
Now this has been an ongoing annoyance for the last 2 weeks or so, i've run several virus scans and it picks up nothing, anti-virus, firewall, ad-aware are all kept up to date on a daily basis. I have done lots of searching on this matter but as yet have been unable to come up with a solution or find out what it even is for sure.
I have discovered that if i run ad-aware and reset the homepage to yahoo, after rebooting everything will be fine and internet explorer will go to any site i want until i try to open another internet explorer window, as soon as a second IE window is opened, the homepage changes back to about:blank and that smart search page comes up and then i gotta go through the whole thing again.
I've also tried running hijack this and the log file is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 16:01:01, on 27/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\ntvdm.exe
\Downloads\Old Stuff\Programs\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38157.5230555556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87327CC2-3BA9-4AD9-BF8F-EFFF24B17E8E}: NameServer = 194.145.128.1 194.125.2.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3E420A4-83C4-4BA0-AAB3-3F9BFDE0DE9D}: NameServer = 194.145.128.1,194.125.2.206
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
I cannot see any unusuall programs running or starting up, again in the hi-jack this log it finds pretty much the same stuff ad-aware finds, and again when removed reset and gone back online, opening another IE window will cause the same stuff to arrive back.
I've been through the registry on several occassions to see if there is anything odd loading up but again nothing out of the ordinary.
finally i have tried running CWShredder for getting rid of cws stuff, that finds and removes 2 items also and they are:
cws.jksearch and cws.svchost32
all of the above scans etc. have also been done while in safe mode but alas once in normal windows mode it all goes pair shaped
again this come back each time they are removed and at this point it's doing my head in. as i said earlier everything is kept as up to date as i can keep it on a 56k modem :-\
have spent countless hours searching on the net for soloutions and gotten nowhere.
Any and all help on this is greatly appreciated. Thanks
0
Comments
-
-
Try Spybot Search & Destroy, in my experience it usually finds more stuff than adaware.
My parents' PC kept getting riddled with spyware, so I installed firefox and changed its shortcut to say "Internet Explorer" and use the IE icon. They haven't noticed the difference yet
No more spyware has shown up either.0 -
-
-
Another quick scan for you
Have hijack this get rid of these
==========================================================
O1 - Hosts: 213.159.117.235 auto.search.msn.com = You have been hijacked!!!
==========================================================
O17 - HKLM\System\CCS\Services\Tcpip\..
\{87327CC2-3BA9-4AD9-BF8F-EFFF24B17E8E}: NameServer = 194.145.128.1 194.125.2.206 == and again
==========================================================
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3E420A4-83C4-4BA0-AAB3-3F9BFDE0DE9D}: NameServer = 194.145.128.1,194.125.2.206 == and again
==========================================================
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
This is the oher one causing you grief
==========================================================
Happy hunting
kevin 0 -
Advertisement
-
-
-
Advertisement