|
|
BedstorfromAP
Reg'd: Thu
Posts: 5098
Loc: 32 Bus Stops West of Wigan UK
|
|
A lady from Poland left this on my Forum can you check this out thanks (Am linking this back) Here is the original post
Quote:
Can anyone help please? I have win XP and got W32.desktophijack and Trojan.startPage.M. The Norton AntiVirus detects them but cannot remove. I tried following the Symantec site instructions, but it doesn't help either. I don't know what to do. Any suggestions? Thank you so much! Here is the HijackThis log file:
Logfile of HijackThis v1.99.1
Scan saved at 7:47:41 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NuCam\CamCheck\CamCheck.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\intel32.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Microsoft Encarta\Encarta World English Dictionary\Qshlfed.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\webshots.scr
C:\Documents and Settings\ROSE\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html" target="_blank">res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html</a>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html" target="_blank">res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C09F3F0F-4F87-4EE8-9034-725490E8294E} - C:\WINDOWS\System32\oapf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\stephan\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "ROSE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [olecli32] C:\WINDOWS\System32\olecli32.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: Encarta Dictionary Quickshelf.lnk = C:\Program Files\Microsoft Encarta\Encarta World English Dictionary\Qshlfed.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000</a>
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {FA59B1EC-89C2-44D8-BA0F-D6B47DAC71C8} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FC63EF8-530C-478A-A501-C3AEAC481A38}: NameServer = 192.168.1.100,193.4.194.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FC63EF8-530C-478A-A501-C3AEAC481A38}: NameServer = 192.168.1.100,193.4.194.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{2FC63EF8-530C-478A-A501-C3AEAC481A38}: NameServer = 192.168.1.100,193.4.194.2
O18 - Filter: text/html - {D538F97A-6F6C-4FD8-ACA5-30DB8FE676C7} - C:\WINDOWS\System32\oapf.dll
O18 - Filter: text/plain - {D538F97A-6F6C-4FD8-ACA5-30DB8FE676C7} - C:\WINDOWS\System32\oapf.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\bhowser.dll
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\System32\PGPsdkServ.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--------------------
History so far.. 10 years surfing & 29 Years Computing (First ZX81 1k) 
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31990
Loc: belfast
|
|
Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)
Put a checkmark next to the following entries in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html" target="_blank">res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html</a>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html" target="_blank">res://C:\DOCUME~1\ROSE\LOCALS~1\Temp\se.dll/space.html</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C09F3F0F-4F87-4EE8-9034-725490E8294E} - C:\WINDOWS\System32\oapf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\stephan\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [olecli32] C:\WINDOWS\System32\olecli32.exe
O18 - Filter: text/html - {D538F97A-6F6C-4FD8-ACA5-30DB8FE676C7} - C:\WINDOWS\System32\oapf.dll
O18 - Filter: text/plain - {D538F97A-6F6C-4FD8-ACA5-30DB8FE676C7} - C:\WINDOWS\System32\oapf.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\bhowser.dll
Make sure all windows and browsers are closed before clicking on “Fix Checked”.
Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\oapf.dll
It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.
currently it is :-O2 - BHO: (no name) - {C09F3F0F-4F87-4EE8-9034-725490E8294E} - C:\WINDOWS\System32\oapf.dll
Select Unload DLL, and click OK on the prompts that follow.
Please download SpSeHjfix
Close any open programs.
Run SpSeHjfix and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.
Once rebooted, run SpSeHjfix again.
Reboot and scan with AdAware to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.
Run Adaware with the following settings:
Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.
Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.
If an update is available download it and install it. Click the "Finish" button to go back to the main screen.
Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes
Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:
Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File
Then Click the Advanced Button on the left side to open the Advanced Settings screen. Make sure the following is on with a "green" checkmark:
Move deleted files to Recycle Bin
Others are optional to be checked or unchecked.
Then click on the "Tweak" Button to open up the tweak settings.
Open up the Scanning Engine section and make sure ll of the following are On with a "green" checkmark:
Scan registry for all users instead of current user only
Make sure the following is unchecked with a "red" X:
Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:
Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.
Click the "Proceed" button to save settings.
Click the "Next" button to start the scan.
When a scan is completed the Performing System Scan screen will change name to "Scan Complete".
Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.
Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.
To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
Close Ad-aware.
If Ad-Aware needs to reboot to finish cleaning, please let it.
Please run the following online scan and let it fix everything it finds:
HOUSECALL
Then :-
Download and run COOLWEBSHREDDER.EXE(standalone version)
Click Fix, don't just scan. Let it fix everything it asks about.
then reboot and post a fresh HJT log.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
 
When the only tool you own is a hammer, every problem begins to look like a nail. 
|
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
