browser hijack e-finder.cc

  dimercaprol 07:46 03 Oct 2004
Locked

My browser has been hijacked. I am running Win XP home and IE6. I have run Adaware, SpybotS&D and CWShredder without effect. This is the "hijack this" log after running all the above. I would be very grateful for any advice.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\CAPRPCSK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hijackthis\HijackThis.exe

  dimercaprol 07:47 03 Oct 2004

I'll try again in several parts

My browser has been hijacked. I am running Win XP home and IE6. I have run Adaware, SpybotS&D and CWShredder without effect. This is the "hijack this" log after running all the above. I would be very grateful for any advice.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

  dimercaprol 07:50 03 Oct 2004

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\qttask.exe

C:\Program Files\D-Link\AirPlus Xtreme
G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINDOWS\System32\CAPRPCSK.EXE

  dimercaprol 07:51 03 Oct 2004

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\WINDOWS\System32\ati2evxx.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [email protected]/hp/" title="http://homepage.com_%[email protected]/hp/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [email protected]/hp/" title="http://homepage.com_%[email protected]/hp/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

  dimercaprol 07:53 03 Oct 2004

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = [email protected]/search/" title="http://homepage.com_%[email protected]/search/" TARGET="_new">click here (obfuscated)

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\qttask.exe

O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE

  dimercaprol 07:55 03 Oct 2004

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: click here?

O13 - WWW Prefix: click here?

O14 - IERESET.INF: START_PAGE_URL=click here

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

  rawprawn 08:38 03 Oct 2004

I think system32\sass.exe is a virus,download and run this free program click here Someone with more knowledge than me may suggest something different but this is a good proram and it won't hurt anyway

  dimercaprol 18:07 03 Oct 2004

Thanks Rawprawn and Nellie 2. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 18:03:20, on 03/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\System32\CAPRPCSK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\qttask.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

  dimercaprol 18:10 03 Oct 2004

Logfile of HijackThis v1.97.7
Scan saved at 18:03:20, on 03/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\CAPRPCSK.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\qttask.exe

C:\Program Files\D-Link\AirPlus Xtreme
G\AirPlusCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System\MSMSGSVC.exe

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE

C:\Program Files\Roxio\Easy CD Creator 6
\AudioCentral\Playlist.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE

C:\Program Files\Hijackthis\HijackThis.exe

  rawprawn 18:12 03 Oct 2004

Nellie2 is the expert on these HJT logs, I am sure that she will sort you out, so I will leave it to her. Good luck

  dimercaprol 18:13 03 Oct 2004

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here %[email protected]/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here %[email protected]/search/ (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here %[email protected]/hp/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here %[email protected]/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here %[email protected]/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = click here %[email protected]/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here %[email protected]/hp/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = click here %[email protected]/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here %[email protected]/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here %[email protected]/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = click here %[email protected]/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = click here %[email protected]/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here %[email protected]/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = click here %[email protected]/search/ (obfuscated)

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\qttask.exe

O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G]

C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MSMsgSvc]

C:\WINDOWS\System\MSMSGSVC.exe

O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: click here?

O13 - WWW Prefix: click here?

O14 - IERESET.INF: START_PAGE_URL=click here

O15 - Trusted Zone: *.Sony-europe.com

O15 - Trusted Zone: *.Sonystyle-europe.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy Book 2: Release date, price and specs

Adobe's groundbreaking prototypes of new features and apps for Creative Cloud

When is the next Apple event?

Les meilleurs VPN gratuits (2018)