Options

Homepage changing and random shut down error

Unknown
edited June 2004 in Spyware & Virus Removal
My homepage keeps changing to a page that has a HUGE stop sign on it then i get like 12 pop ups and a error from nortan saying something was trying to dl a trojain. And I am also having this random shut Down error can send the picture to someone to see it thanks and here the hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 3:59:14 PM, on 6/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\yhacww.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Oad3.exe
C:\WINDOWS\System32\DoovS4s.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\CS4P028.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\CS4P028.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chad\Desktop\stuff\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2NRBCPJ5ETGARJ] C:\WINDOWS\System32\FteiKZ.exe
O4 - HKLM\..\Run: [pyuhfptq] C:\WINDOWS\System32\yhacww.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22919ad69aa5fe74f518/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/VBouncerOuter1137040505.EXE
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Comments

  • DexterDexter Vancouver, BC Canada
    edited June 2004
    First of all, follow these steps to run Ad Aware and Spybot on your system. See if that solves the problem first. If not, post a new HJT log after those scans and we'll take it from there. If you have already run those 2 apps, let us know, and we will work from this log.

    Dexter...
  • Peabody
    edited June 2004
    yup i alrdy ran them both
  • Peabody
    edited June 2004
    can any one tell me the problem here?
  • DexterDexter Vancouver, BC Canada
    edited June 2004
    Reboot in SAFE MODE. Run HJT (first I recommend you put HJT into it's own dedicated folder, so backups can be safely stored.) Fix the following:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

    (Those are known adware components.)

    O4 - HKLM\..\Run: [2NRBCPJ5ETGARJ] C:\WINDOWS\System32\FteiKZ.exe
    O4 - HKLM\..\Run: [pyuhfptq] C:\WINDOWS\System32\yhacww.exe

    (Those are both random file names, a sure sign of malware.)

    Reboot normally, and check things out. If it all looks good, quarantine the files referenced above. Let us know how it works out.

    Dexter...
  • Peabody
    edited June 2004
    Thanks a lot worked you guys :Rocker:
  • DexterDexter Vancouver, BC Canada
    edited June 2004
    Glad to hear. Now, you should immnize your system as best as possible against future spyware problems. Downlaod the latest versions of Spybot and Spywareblaster from our Security Downlaods page (link in my signature.) Install and run them, they will help with a lot of known problems, and make sure to update them regularly.

    And check out our Folding at Home project, it's a great cause to get involved with. Click the Folding links in my sig to find out more.

    Dexter...
  • vanagon40vanagon40 Indiana Member
    edited June 2004
    You are also several updates behind on your Operating System. Keeping windows updated patches known vunerabilities used by malware.
Sign In or Register to comment.