Share your experience!
----
If you still have problems with the browser hijack then use Hijackthis! and CWshredder from http://www.spywareinfo.com/~merijn/downloads.html
Thank you very much Rob, i have already dwnloaded CWS, i am not infected. I will dwnload hjt and then upload the log onto this forum.
Guys, Here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 08:00:43, on 10/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Memory Optimizer\MemoryOptimizer.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Gill IT\Auto ShutDown XP Professional\ASD XP.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Samurize\Client.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by2fd.bay2.hotmail.msn.com/cgi-bin/hmhome/spool/RSC_7eb7b8f2c8ee40a09293ad49cc67ff67?curmbox=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.sarc.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.0.*;
R3 - URLSearchHook: SrchHook Class - {582788CA-7014-4904-A4EE-6FB6108AFE8E} - C:\WINDOWS\System32\msapasrc.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll [...]
Heres my Start Up list:
StartupList report, 10/03/2004, 08:05:16
StartupList version: 1.52
Started from : C:\Program Files\StartUpList\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Memory Optimizer\MemoryOptimizer.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Gill IT\Auto ShutDown XP Professional\ASD XP.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Samurize\Client.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\StartUpList\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\0p5r4e\Start Menu\Programs\Startup]
Auto ShutDown XP Pro.lnk = ?
Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
Samurize.lnk = C:\Program Files\Samurize\Client.exe
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
PowerPanel.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ATIModeChange = Ati2mdxx.exe
AtiPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Mouse Suite 98 Daemon = ICO.EXE
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
ezShieldProtector for Px = C:\WINDOWS\ [...]
Hi Harry ,
It really takes an expert to interpret the HijackThis Log, and I am not one. The only thing that looks suspicious to me is
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
and anything else with "Kontiki" in it. That is of course if you do not recognise "Kontiki"
You should really post the log in the HijackThis Forum where it will definitely be fixed.
Failing that I would backup the registry and put "Kontiki" into the "Regedit Search" option and delete it. Also use XP "Search" to look for it and put it in a folder somewhere else until you see if it is needed or not.
If necessary I would take that risk myself but would not like to damage anyone else`s system. It is up to you, but the best option is the Forum at HijackThis. They will certainly fix it for you as they are the experts.
Good Luck
Elaine
Thanx Elaine. i will post it on their forum.Hey- Whats the address of the forum??!! :smileyrolling_eyes:
Hi Guys, Please could you also tell me what "websx" is, is it dangerous? It is in my prog file list and i didnt install it. It is not shown on in the file apart from on hjt, and i have enabled the showing of hidden folders.VIRUS???!!!
Hi Harry
Here is the address of the Forum
http://mjc1.com/mirror/hjt/
Instructions about how to post your log are on this first page.
Before you start, please unzip HijackThis to a separate folder. The program will make backups in the folder it's run from. These easily get lost in a Temp folder and are an annoyance on the desktop.
Then look down left hand side for SpywareInfo Support Forums TomCoyote Forums
I think websx" is porn. The Forum will sort it for you.
Elaine
Thanx Elaine, Again!!!!!!!! :smileygrin:
My pleasure Harry,
Here`s hoping you get ALL OF IT sorted once and for all. These guys are good. Just have patience. Sometimes it takes two or three shots to get it cleaned up completely
Go along with them and I`m sure they will fix it all.
Good Luck :smileygrin:
Elaine