PDA

View Full Version : Hijack this



AWDkitkat
03-18-2004, 12:38 AM
a friend told me if anyone could help me the members here could. the pic below shows my problem. ive also included a scan from hijack this.

another VERY ANNOYING problem is that popups will lock the Iexplorer window im in for 60+120 seconds. This includes any link that opens a new window (i guess thatcounts as a popup) . I can open another window and carry on until then. thanks for any help. This thing is killing what brain i have left.




http://swordfishgsx.8m.com/freds/wtf.JPG


Logfile of HijackThis v1.97.6
Scan saved at 11:14:32 PM, on 3/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\msdmxm.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\windows\system32\mnpol.exe
C:\program files\primesoft\safesearch\safesearch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Internet\Local Settings\Temporary Internet Files\Content.IE5\KDEBO1I3\hjtlog[1].exe
c:\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - __ (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - __ (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - __ (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - __ (file missing)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - __ (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - __ (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect
O4 - HKLM\..\Run: [MNPol] c:\windows\system32\mnpol.exe /nocomm
O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Whyzman
03-18-2004, 12:52 AM
<marquee behavior="alternate" scrollamount="20" loop="3" width="50%">Hello AWDkitkat,</marquee>

<marquee behavior="slide" scrollamount="20" loop="3" width="50%">Welcome tohttp://www.pcguide.com/ubb/pcgubb.gif Forums!</marquee>

Looks like this one came aboard in the middle of the night:

http://securityresponse.symantec.com/avcenter/venc/data/adware.safesearch.html

Hang on though, we've some experts on what to remove....

I would run Spybot Search and Destroy and Adaware and then redo the Hijack this scan...

delslo
03-18-2004, 12:55 AM
help this cat out.....he's a local from one of my other boards, i sent him here, i know you guys here at the pcguide have helped me a thousand times or so...........
thanks guys
tris

AWDkitkat
03-18-2004, 01:02 AM
Originally posted by Whyzman
<marquee behavior="alternate" scrollamount="20" loop="3" width="50%">Hello AWDkitkat,</marquee>

<marquee behavior="slide" scrollamount="20" loop="3" width="50%">Welcome tohttp://www.pcguide.com/ubb/pcgubb.gif Forums!</marquee>

Looks like this one came aboard in the middle of the night:

http://securityresponse.symantec.com/avcenter/venc/data/adware.safesearch.html

Hang on though, we've some experts on what to remove....

I would run Spybot Search and Destroy and Adaware and then redo the Hijack this scan...

Thanks for the fast reply, the hijack scan is after spybot adaware and registry mechanic.

Whyzman
03-18-2004, 01:42 AM
Looks like none of the HJT gurus are up at this hour of the morning here in the US...

This would make for some good bedtime reading and might get you started:

http://hjt.wizardsofwebsites.com/

shanmuga
03-18-2004, 02:00 AM
You have run the HJT scan with a older version, Download the latest version of HijackThis (http://mjc1.com/mirror/hjt/) and extract it to own folder and run the scan before fixing anything.

Close all explorer windows, preferably have only HijackThis open and fix the following entries;

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - __ (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - __ (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - __ (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - __ (file missing)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - __ (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - __ (file missing)
O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect
C:\windows\system32\msdmxm.exe

ZTGServerswitch is part of Sony's Vaio support agent It is not required if you don't wish to use the Vaio support agent so you can fix this one too if you like also see if you can uninstall the support client via Control Panel Add/Remove.

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

Clear out the temp internet files, Reboot and delete

C:\program files\primesoft\safesearch\safesearch.exe

Edit:Post a fresh log again for confirmation.

The following entry looks suspicious, do you recognize it ? Right click and have a look at its properties.

C:\windows\system32\mnpol.exe
It also runs at startup as O4 - HKLM\..\Run: [MNPol] c:\windows\system32\mnpol.exe /nocomm