|
#1
03-23-2006, 03:49 AM
|
|||
|
|||
homepage hijacking-half only
Dear members,
I am using internet explorer and goggle as my homepage.The trouble started about a month ago when my homepage was partly blocked(lower half) by this pop up known as spy bouncer.My internet explorer pop up blocker is working fine but only after allowing this particular pop up(spy bouncer).It looks like this pop up has got pasted to my homepage(bottom portion)I can still use the URL, but i could not log in my goggle account nor use the search function.There is also an internet explorer script error pop up ,prompting me do you want continue running script on this page?CONTENT: error occured in the script on this page/line:5/char:58/ error: popwin3-null or not a object/code:0 blah...blah..blah...... I have try to eliminate this particular pop up by using various means-ad-adwareSEpersonal/Spybot search destroy and micro trend (scan normal/safe mode} but not sucessful.I have try to use other help forum but could not fix the promblem yet.Now i have change my homepage to MSN.When i switch to goggle the promblem still persists. Can anybody get me fix this promblem.THANKS in advance. 
Last edited by loneyjy; 03-23-2006 at 03:55 AM. 
|
|
#2
03-23-2006, 04:05 AM
|
||||
|
||||
Since you have already tried AdAware and such you will have to remove it manually. Download a copy of Hijack This! located here: http://www.merijn.org/files/hijackthis.zip
Run it and click "Scan". It will bring up a list of your running processes and other addons installed into your browser (such as adware). Click the button "Save Log", save this text file somewhere like the desktop. Open that log file and paste the contents here. I will let you know what you need to remove.
__________________
Owner and Founder of Technibble - If you have a problem with any user, they are flaming/being elitist/making snide comments etc.. Press the report button which is on the top right of every post. This will highlight the post in an admin area for staff to see and deal with. For adminly tasks such as username changes, moving threads etc.. please contact Martyn Check out Technibbles twitter: http://www.twitter.com/technibble
|
|
#3
03-25-2006, 05:31 AM
|
|||
|
|||
|
hijackthis
here it goes:
Logfile of HijackThis v1.99.1 Scan saved at 12:35:12 AM, on 3/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\PGPserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE C:\WINDOWS\system32\ctfmon.exe D:\New Folder\WordWeb\wweb32.exe C:\Documents and Settings\dass.DAS\Desktop\hjt\hijackthis1991.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.msn.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE /P23 "EPSON Stylus C65 Series" /M "Stylus C65" /EF "HKCU" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: WordWeb.lnk = D:\New Folder\WordWeb\wweb32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe Thanks for your concern
|
|
#4
03-25-2006, 05:46 AM
|
||||
|
||||
|
Quote:
Reboot your PC and see if popups are still spawning. Question, Do you have two system32 folders in your C:\Windows directory (you may need to show hidden files and folders), one starting with lowercase "s" and the other starting with an uppercase "S"? Im concerned about this line, I believe the Second svchost.exe might be fake as one is in the folder "system32" and other other is in "System32" even though it SHOULD be the same process Quote:
__________________
Owner and Founder of Technibble - If you have a problem with any user, they are flaming/being elitist/making snide comments etc.. Press the report button which is on the top right of every post. This will highlight the post in an admin area for staff to see and deal with. For adminly tasks such as username changes, moving threads etc.. please contact Martyn Check out Technibbles twitter: http://www.twitter.com/technibble Last edited by Bryce W; 03-25-2006 at 06:06 AM.
|
|
#5
03-27-2006, 05:13 AM
|
|||
|
|||
|
hjt.
i have tick the items mentioned by u and fix it.After rebooting the promblem of pop up still persists.i am sending a fresh log of hjt.Here it goes:
Logfile of HijackThis v1.99.1 Scan saved at 11:36:46 PM, on 3/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\PGPserv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE C:\WINDOWS\system32\ctfmon.exe D:\New Folder\WordWeb\wweb32.exe C:\Documents and Settings\dass.DAS\Desktop\hjt\hijackthis1991.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.msn.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE /P23 "EPSON Stylus C65 Series" /M "Stylus C65" /EF "HKCU" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: WordWeb.lnk = D:\New Folder\WordWeb\wweb32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe As the case of Window directory.- system 32 folder is present but could not find System 32 folder (hidden files shown). But i came across 2 svchost.exe (1 in Windows-system 32 folder starting with lower case svchost.exe and the other with upper case in Windows-Prefetch as SVCHOST.EXE 35308672.pf
|
|
#7
04-04-2006, 02:17 AM
|
||||
|
||||
|
Other than wweb32.exe (which im not sure what it is), everything else seems to be normal. Have you done a full virus scan with AVG?
__________________
Owner and Founder of Technibble - If you have a problem with any user, they are flaming/being elitist/making snide comments etc.. Press the report button which is on the top right of every post. This will highlight the post in an admin area for staff to see and deal with. For adminly tasks such as username changes, moving threads etc.. please contact Martyn Check out Technibbles twitter: http://www.twitter.com/technibble
|
|
#9
04-15-2006, 04:46 PM
|
||||
|
||||
|
Just had a thought. Can you list the processes running on your PC using something like Process Explorer ?
Although Hijack This! lists most of the processes that are running already and also any registry entries that are told to run programs on bootup. Often malware is launched by other ways such as attached to a DLL when IE starts up or in other locations of the registry. I noticed this the other day on a PC repair job with trojan/malware called mssearchnet.exe which would hide from Hijackthis!
__________________
Owner and Founder of Technibble - If you have a problem with any user, they are flaming/being elitist/making snide comments etc.. Press the report button which is on the top right of every post. This will highlight the post in an admin area for staff to see and deal with. For adminly tasks such as username changes, moving threads etc.. please contact Martyn Check out Technibbles twitter: http://www.twitter.com/technibble
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
