Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijacked Internet Explorer.

Status
Not open for further replies.
steviecn

steviecn

Technical User
Jun 9, 2004
4
GB
I am hoping that someone can please help me! I have several PC's that are automatically loading up Internet Explorer to an Angelfire.com site and then asking to download and install a Media Tickets program. I have run various apps to try and clean them but have had no success. The programs I have cleaned the PC, with the latest updates downloaded, are:

CWShredder
SpyBot S & D
Ad-Aware
etrust Anti-Virus

The PC's are running Windows XP Pro with the latest critical patches installed..

Below is the hijackthis log from one of the PC's:

Logfile of HijackThis v1.97.7
Scan saved at 18:02:29, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINDOWS\System32\NAVSCAN32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\SpyWare Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.240:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = learningsouthwest.org.uk
O17 - HKLM\Software\..\Telephony: DomainName = learningsouthwest.org.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = learningsouthwest.org.uk

Can anyone help?

Thanks,

Steve.
 
Sort by date Sort by votes
Before you started the cleaning, did you switch off System Restore in WinXP?

C:\WINDOWS\System32\NAVSCAN32.exe looks dodgy, especially as there are 3 instances of it set to load at startup.

John
 
Upvote 0 Downvote
Yes, disabled system restore and removed all instances of it. Ran disk cleanup as well and removed all temporary internet files. Will try to remove Navscan32.exe then and let you know the results.

Thanks,

Steve.
 
Upvote 0 Downvote
NAVSCAN32 is a Norton Anti Virus Scan program component from the free online scan service


To effectively improve in the efficiency of your performance, one must be proficient in the implementation of a positive mental attitude.
 
Upvote 0 Downvote
zgtrman

I can find no instances of navscan32.exe on the Symantec support site, nor can I find anything on it via Google suggesting it is a legitimate program.

The fact that it is set to load 3 times suggests to me that there is something dodgy about it, particularly as the rest of the log appears clean.

John
 
Upvote 0 Downvote
...not to mention that it's taken up residence in System32...

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
navscan has always been present when I previously used norton, which is one of the reasons I do not run Norton anymore. It seems to creep into everything and slow the computer down above all else. I have switched to using hijack, trend micro and pandasoftware. these seem to help more than norton ever could.

everyday you learn something new, the day you dont is the day you die....so make someone live longer teach them something.......MUTT
 
Upvote 0 Downvote
This is a Norton component - you would be better advised to delete the following:

C:\WINDOWS\LogWatNT.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

Obviously I don't know all thw programs you are running so it would be an idea to check that these are not related first - but the above is def Norton, I am currently cleaning at least a couple of machines a day and have seen this often.

Hoping this helps,

Kes :)
 
Upvote 0 Downvote
As I have never installed norton or used their online scan facility I dont't know how its got there, we have only ever used eTrust InoculateIT Anti-virus which is shown by the entry:

4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

Kesser,

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

Seems to be a Windows Media Player File,

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

Is a Intel System Graphics Tray Icon and isn't

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

The downloaded Microsoft Update Program?

Will be trying to see which one of these is causing the problem later today, so will let you know the results.

Thanks,

Steve.

 
Upvote 0 Downvote
Thanks for your help, it was NAVSCAN32.exe that was the problem. Removed any NAVSCAN32.exe entries and it solved it. This is in fact a worm called RBot-an that had written these values to the registry. Our anti virus vendor, Computer Associates, have since added cure and deletion for this to their latest virus signature, a bit too late for me though!

Thanks,

Steve.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

geeknerd
  • Locked
  • Question
Hijacked by Virus/Worm 1
Replies
17
Views
224
goombawaho
goombawaho
CecilXavier
  • Locked
  • Question
Endpoint 11 killing internet
Replies
4
Views
155
BadBigBen
BadBigBen
eyec
  • Locked
  • Helpful tip
Vista Internet Security 2011 Virus
Replies
5
Views
136
goombawaho
goombawaho
Ktwhite
  • Locked
  • Question
XP Internet Security - Rogue Program 2
Replies
9
Views
149
kjv1611
kjv1611
eyec
  • Locked
  • Question
Norton Internet Worm Protection Removal
Replies
0
Views
73
eyec
eyec

Part and Inventory Search

Sponsor

Back
Top