HijackThis log: What to delete?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Miss Ti, May 5, 2004.

  1. Miss Ti

    Miss Ti Private E-2

    Calling all Geeks! Please help a newbie.

    My Internet Explorer has been hijacked. I have run adaware and spybot search and destroy. I have Norton Antivirus (it warned me when it happened but couldn't do anything about it) and I now have spywareguard and spywareblaster to stop this from happening again.

    Everytime I restart, the IE homepage and search pages are reset to www.searchdirs.com. I see that in one of the lines in the HijackThis log, so I assume it is safe to delete that? What else can I delete?

    Thanks in advance to all of you out there with the expertise to help people like me learn how to practice 'safe computing.'

    Ti


    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:07 AM, on 05/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\olehelp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5277199074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5366C74F-59F0-4B46-B1DA-864B39874078}: Domain = itsb205.itsnpt.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12
     
    Miss Ti, May 5, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shut down all applications other than HiJaak This and try deleting:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020

    Reboot and let us knwo how things look.
     
    chaslang, May 5, 2004
    #2
  3. alanc

    alanc MajorGeek

    Ti, you have a CoolWebSearch variant, download and run CWShredder and let it fix whatever it finds.
     
    alanc, May 5, 2004
    #3
  4. Miss Ti

    Miss Ti Private E-2

    Finally got it!

    Thanks so much for all of your help! I had tried deleting two of those three lines initially, and they kept coming back when I rebooted. Being a newbie, I finally found the link over to the spywareinfo site or something like that. It took hours to go through everything, and I also ran the CWShredder. It is fixed! Now my HijackThis log looks like this:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:13:05 PM, on 05/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5277199074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
    O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12


    For some reason, the searchdirs lines are still there. They keep reappearing every time I reboot, but they seem to be disabled for now. If anyone can let me know how to get rid of them for good, it would be great!


    Geeks rock! I am so pleased, maybe I will make my way over to the games forum and see if I can get SimCity to work again. :D

    Many thanks,

    Ti
     
    Miss Ti, May 5, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm a little confuse by your message. Are you still be hijaaked to searchdirs.com?

    Those two lines are still there:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/?aff=1020
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=1020

    Maybe you need to look at Add/Remove Programs in Control Panel to see if something to do with this searchdir thing can be uninstalled. If you delete them with HiJaak This and they are coming back, something is starting them up again.
     
    Last edited: May 6, 2004
    chaslang, May 5, 2004
    #5
  6. alanc

    alanc MajorGeek

    I don't know if or how well it works, but they have an uninstaller on their site here:
    http://searchdirs.com/uninstall.php?aff=9001

    Try it at your own risk!
     
    alanc, May 6, 2004
    #6
  7. Miss Ti

    Miss Ti Private E-2

    W32.Bizten!!!

    I went to the page to try and do the uninstall. I got infected again, or more, or something. Norton AV picked it up and identified it as W32.Bizten but could not repair the file. I immediately deleted the temp files etc. Then I went to Symantec and followed the removal instructions. I didn't see all of the virus bits there that it said would be there, so maybe I aborted this attempt. I am not being hijacked anymore and my HijackThis log looks better, so I hope I am OK now. It does seem odd that Norton detected it but couldn't stop it. I keep everything updated regularly.

    Thanks for all of the help! I have Norton AV, SpywareGuard, Spyware Blaster, Ad-aware, and SpyBot S&D. Also, I set up the firewall that comes with Windows. If there is anything else that I can do to protect my PC, please let me know. That is all that I can find so far!

    Thanks again,

    Ti


    Logfile of HijackThis v1.97.7
    Scan saved at 10:19:01 AM, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5277199074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07B80E6E-D5A7-4B35-8F14-489BD135313C}: NameServer = 63.203.35.55 206.13.28.12
     
    Miss Ti, May 6, 2004
    #7
  8. alanc

    alanc MajorGeek

    alanc, May 6, 2004
    #8
  9. anezzy

    anezzy Private E-2

    I have also been infected with with searchdirs homepage problem. I've ran adaware, and now hijackthis. Here is the log.
    Thanks in advance for your help.


    Edit by chaslang: LOG DELETED
     
    Last edited by a moderator: Feb 13, 2005
    anezzy, Feb 13, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post in other peoples threads. Do not post unrequested HJT logs.
    Do not post them inline. And do not post duplicate threads!
     
    chaslang, Feb 13, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds