Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HijackThis log, homepage resetting itself 2

Status
Not open for further replies.

dyarwood

Programmer
Nov 3, 2003
1,483
GB
Hi all

Need a bit of help with this HijackThis log. The problem I'm getting is that my homepage keeps resetting itself as about:blank page no matter how many times I reset it as either yahoo.co.uk or google.co.uk. Can anyone suggest any problems.


Logfile of HijackThis v1.97.7
Scan saved at 09:29:08, on 21/05/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\CLEARLOG.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\nvc\bin\Zanda.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINNT\mslagent\mslagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = casexc01:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4CF97817-9E89-4E76-B7CD-84FFE176965C} - C:\WINNT\system32\ikkij.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1012.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: PhoneManager.lnk = C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
O4 - Global Startup: Labtec Mouse Software 2.0.lnk = C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -

Thank you in advance for any help you can give

dyarwood
 
Just a small thought not sure if it will help or not but could the problem be the R0 entries. There does not seem to be one containing \Main only \Search.

any thoughts are welcome

dyarwood
 
hello dyarwood,
Ad-Aware6 (free), Pest Patrol home (not free) ASEscanner (free) are all excellent utilities for dealing with BHO's hijackers, spyware etc. No-one should be without the latest versions. They are all easily findable on the web. It sounds like you have been hijacked, and I did see one doubtful BHO and possibly a dialler in the Hijack this log - though others might spot more. The spyware tools I mention will deal safely with most of these, and their after effects, and will give you back your IE settings. Spybot search and destroy is another free and popular defence.
 
Downloaded the spybot as I use it at home. It picked up the dialler and a few other things which I promptly got rid of. Currently downloading a load of spyware protection stuff.
 
Dyarwood,

Firstly, try and terminate MSLAgent.EXE from Task Manager and then untick the following items in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ikkij.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = casexc01:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: (no name) - {4CF97817-9E89-4E76-B7CD-84FFE176965C} - C:\WINNT\system32\ikkij.dll
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) -
EAnthology is spyware, so uninstall it and run a virus checker.
MSL Agent is the Wintrim Trojan - more information from
I note that this machine is not yet on service pack 4. If you don't have it available on CD, you can get Microsoft to send you the Security Update CD for free which includes it amongst others. More information from
John
 
Cheers John

I ran CWShredder on the computer and the webpage now works. Will have to get the person to run the HijackThis report again and see if it has removed anything.
 
I got the updated log and it all looks a lot nicer. Most of the stuff above was removed. The spyware you mentioned and the trojan were removed. Will get the upgrade for them.

Cheers again for your help. Have a shiny thing.

dyarwood
 
I'm having the exact same problem. I've spent the past few days researching this, and I did happen to find some instruction on how to remove it on but it seems that the url I got it from is down..so if I find it, I will post it here.
 
I ran spybot and it showerd waaay too many red entries.
So I ran the fix it now bit and it hung!
Any suggestions, please?

Many thanks
 
The way I got this sorted was downloaded CWShredder and ran that. Cleared up a few things then ran HijackThis again and the log looked a lot cleaner.
 
Storm

Try Ad-aware from as a second tool, or the Bazooka spyware scanner from
Check the applications set to load at startup - do you need IM applications such as MSN or Yahoo Messenger (or could you load them later if you wanted an online chat, for example). Failing that try my FAQ in this forum on how to read and understand a HijackThis log.

John
 
The way I got this sorted was downloaded CWShredder and ran that. Cleared up a few things then ran HijackThis again and the log looked a lot cleaner. In my case, that's only a temporary solution..for about a few hours..in safe mode. Exactly what program or file is loading these dll files? Is it something I could possibly just delete, or is it a corrupted file that I need to run my WinXP?
 
Dyarwood,

Yes, it will come back. This is not something you can just go and delete and the problem is solved, this pest will just come back and come back and keep coming back. After atleast a week of seaching of what this could be, I looked at that link you provided and printed out the instructions for the procedure. One thing though, the link to download that program called "TheKillBox" doesnt seem to have that file anymore on their site anymore. So I'm going to go look and see if I can find another copy somewhere else.
 
I found the same thing about KillBox. Not found it yet but will have to search for it soon.
 
I found it.. But those instructions didnt really help me much. In the reg file "AppInit_Dlls" had 4 "0"s when I checked the binary data. (But I can delete the file that makes those out of the systems32 folder without going into safe mode thanks to Killbox) But I did find something interesting about my case. It only loads when the internet browser opens up or if something on my computer connects to the internet..

Anyone think they can solve my problem out?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top