HijackThis Log .. Study Computer .. Please Help!

Please help! I'm a student and am rushing for a term project that requires frequent visit to the Internet. Could you advise me on these two questions?
(1) How to get rid of the following hijacker?
(2) Is it confined to the Internet Explorer? That is, before the issue gets resolved, if I instead use Netscape for my term project, will Netscape be affected also? And is it safe to work on the data and documents on this computer for my project?

I usually set the homepage in IE as blank. But recently, at start up, the homwpage is somehow reset to http://www.microsoft.com/isapi/redi...ver=6.0&ar=home and the browser loads msn.com. And then it becomes extremely slow to open a web page, until I set the homepage back to blank.

The following entry appears in Ad-aware scan results.

Vendorossible Browser Hijack attempt
Category: Data Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about:blank")
Last Activity:6-10-2004
Risk LevelMedium
Commentossible browser hijack attempt
Descriptionossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

I had Ad-aware remove it, but it's in vain; it appears again right away. The following is the HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 12:07:19 AM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\qisha\Desktop\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\PROGRA~1\DAP\dapbho.dll
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\Net Transport\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [BMUpdate] D:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all by Net Transport - D:\PROGRA~1\XI\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\PROGRA~1\XI\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: ZDNet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://comp.mediaring.com/consumer/...wbaxuiph356.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...ol_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://iuware-web001.uits.indiana.e...nt/iftwclix.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www104.coolsavings.com/ltc/download/cscmv5X.cab
O16 - DPF: {597F5878-51C6-11D3-B2DF-00C04F79E868} (MPIT List Class) - file://G:\00Jonty\Programs\OfficeXP Disk 3\cd\setup\msbslist.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zini...ader/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visi...t/TLIEFlash.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/active...loadcontrol.cab
O16 - DPF: {BA9A7F06-8890-402B-9E05-1A4423E7452B} (AxKSign Class) - http://intranet.daewoo.com/AxKSIGN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/so...l/java/RntX.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/active...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.iu.edu
O17 - HKLM\Software\..\Telephony: DomainName = ads.iu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.iu.edu

Could you advise me how to deal with this?

Thank you!

 

Definate:
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

suspicious:
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} (MRActivXUI Class) - http://comp.mediaring.com/consumer/...wbaxuiph356.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...ol_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://iuware-web001.uits.indiana.e...nt/iftwclix.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www104.coolsavings.com/ltc/download/cscmv5X.cab
O16 - DPF: {597F5878-51C6-11D3-B2DF-00C04F79E868} (MPIT List Class) - file://G:\00Jonty\Programs\OfficeXP Disk 3\cd\setup\msbslist.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zini...ader/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visi...t/TLIEFlash.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/active...loadcontrol.cab
O16 - DPF: {BA9A7F06-8890-402B-9E05-1A4423E7452B} (AxKSign Class) - http://intranet.daewoo.com/AxKSIGN.cab


fix the definates, and im pretty sure about the others, but id like to see if someone else agrees with me

 

hmm. interesting, i googled the dll and found out that it could be spyware
anyway, id go with what chan said, i trust him over me


OH! DIDNT EVEN LOOK AT YOUR 2ND QUESTION! YES! IT IS ONLY IE! NETSCAPE SHOULD BE FINE! GOOD LUCK ON THE TERM PAPER. (sorry bout the caps, wanted to make sure he sees it )

 

Thank you, Chas and Dan!

Yes, SnagIt is a commercial program I was using to record the screen. In fact my term project is about online auction. And I was using SnagIt to make a clip of the bidding process. I've just uninstalled it just in case it could be a source of problem (the trial version I was using has expired anyway).

Shall I remove those suspicious entries? Thank you!

 

And thank you Dan for relieving me from getting too scared to use this computer. I haven't done anything for my project today, being afraid to make further damages. Now I can feel free to go on with my work! Just installed Netscape and am using it now.

 

yeah, id reccomend doing that

 

Thank you, Dan!

Here is my new log. Do you think it's clean now? Thank you!

Logfile of HijackThis v1.97.7
Scan saved at 10:20:20 PM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Documents and Settings\qisha\Desktop\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (D:\Documents and Settings\qisha\Application Data\Mozilla\Profiles\default\3vk151fe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (D:\Documents and Settings\qisha\Application Data\Mozilla\Profiles\default\3vk151fe.slt\prefs.js)
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {342999A3-728D-4DF6-BB81-CDD1A743096A} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} -
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} -
O16 - DPF: {597F5878-51C6-11D3-B2DF-00C04F79E868} -
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} -
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} -
O16 - DPF: {BA9A7F06-8890-402B-9E05-1A4423E7452B} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.iu.edu
O17 - HKLM\Software\..\Telephony: DomainName = ads.iu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.iu.edu

 

hmmm, those are the ones i told him to clean....maybee blank registy entries? like just displaying a 0?

 

Thank you, Chas!

I've uninstalled Download Accelerator Plus and fixed the " O3 - Toolbar: (no name)" line.

And thank you for the great idea to set the home page to something other than blank! Indeed I set it to www.majorgeeks.com. Now I do feel I have created this confusion with the about: blank issue. Sorry to make such a big trouble here!

For those lines you pointed out, I had HijackThis fixed those. But I'm not sure why after I restarted the computer and ran HijackThis again the lines became like that. And I tried to check and fix those again, but it did help. Did I bring myself another trouble?

Also, every time I run Spybot, it finds the same DSO Exploit (as seen in the attachment), even though I've had it successfully fixed by Spybot before. Could you advise me if it's just some routine done by IE or there's some problem here?

Thank you!

 

reffering to your first question: no you didnt make another problem, it was probably just a glithch with hijack

about those spybot entries, they are probably hiding from you in system restore. disable system restore ( http://majorgeeks.com/vb/showthread.php?t=31668 ) restart, run spybot, restart, enable system restore

 

Thank you, Dan!

I tried to use HijackThis to fix the partial entries again. When run HijackThis a second time right after fixing them, it doesn't show those. But after I restart the computer and run HijackThis again, they come back. Also, the R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = line comes back too. If you think it's no big deal, maybe I'll just leave them like that?

For the home page, after I changed it to majorgeeks.com, Ad-aware didn't report any possible hijack.

For the DSO Exploit, I disabled system restore, but those things still come back after restarting the computer. Does it matter?

Thank you!

 

Chas,

It's V1.3 final; I downloaded and installed it today.

I had system restore disabled and I restarted to safe mode and ran HijackThis, SpyBot, and Ad-aware, fixed the relevant things. But the partial entries reappeared after I rebooted to normal mode, and Spybot found the DSO Exploit again.

Also, I had Spybot run at Windows startup, it reported a change of the IE home page from http://www.microsoft.com/isapi/redi...ver=6.0&ar=home to http://www.majorgeeks.com, which is not a problem, right?

Thank you!

 

Chas,

Shall I try to run DSOstop2 to resolve my DSO Exploit problem?

Thank you!

 

Chas, I tried DSOstop2, it said I should be fine now, but Spybot still reports the DSO problem.

 

Looks like the DSO problem is more like a SpyBot bug: http://forums.net-integration.net/index.php?showtopic=15308