Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HijackThis log - webtracer keeps returning 2

Status
Not open for further replies.
JillC

JillC

Technical User
Jan 10, 2001
241
AU
When I ran Hijack This and saw a line which said that IE's start page would change to webtracer obfuscated address, I figured I'd found my problem. However, after deleting this line, it just seems to return.

Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:47 PM, on 3/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\isafe.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Kym Decinque\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kym Decinque\Application Data\Mozilla\Profiles\default\sh02wepu.slt\prefs.js)
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDA52CA-D9A5-416C-AAF1-1EF2E1F73C67}: NameServer = 203.0.178.191
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

IE keeps getting hijacked by random sites - some of them porn which is definitely not what I want.

Netscape seems to run extraordinarily slowly.

The system tray has lost half the icons.

The CD drive won't autorun any more and is quite a problem to get some files to open.

I thought I had removed all the trojans but I keep coming unstuck. Please help.
 
Sort by date Sort by votes
remove the following items


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (obfuscated)

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (you will need to boot into safe mode with command prompt and delete this)
 
Upvote 0 Downvote
The instructions posted above are right on, but without disabling system restore ( prior to removal, you'll find yourself running in circles with most malware infections. As they are preserved in the restore points, that ios why entries "keep coming back."

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Thanks Ali, It must have been the SystemCheck2 which was causing the problem.

Thanks Carrr, but I did disable system restore - just hadn't got as far as figuring out the next bit.

Thanks JFBouchard but I've no idea what I'm looking at with that autoruns.

Having solved the malware, I'm having real trouble with the CD drive. Can't get it to autoplay anything and it is very slow to start, ie open a file. Netscape had been installed in order to get around the hijacked IE problems and it was set as the default browser. However it took a wet week to startup. So I uninstalled it and put a CD in the drive, got an error message to say that the autorun feature was not working and instructed to reinstall IE. So, it looks to me that I have to UNinstall IE first - how do I do that?

Thanks for your help.
 
Upvote 0 Downvote
You don't uninstall IE from an XP OS. It's so integrated into the OS that you'd trash the system.
Try either:

or


or



Of course, you may get around all of this by simply running through this KB fix:


Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
carrr,

Star for the most important part, and my apologies for missing it out !!
 
Upvote 0 Downvote
Well, I spoke too soon. The webtracer hijack kept returning. I searched several help desks and found one site with hundreds of people crying about this thing. It's almost like something is residing in memory as it will reinfect without a reboot.

While I tried a thousand solutions, I think that Spysubtract Pro (from intermute.com) fixed it - must have the latest version (2.64) and update the database, run a FULL scan and then use CWShredder to fix it.

As for the other problems with this PC, not yet solved but that is mostly due to lack of time.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Comcast login - auto filled account is not mine
Replies
9
Views
118
goombawaho
goombawaho
samurrai
  • Locked
  • Question
IE Auto Login Script for Password Protected Site
Replies
0
Views
53
samurrai
samurrai
goombawaho
  • Locked
  • Question
Microsoft badmouthing Firefox after logging out of Hotmail
Replies
3
Views
72
geeknerd
geeknerd
KellyK
  • Locked
  • Question
merlin log file?
Replies
1
Views
50
PCmad
PCmad
wfooshee
  • Locked
  • Question
Cannot log in to web sites, "cannot display web page"
Replies
0
Views
21
wfooshee
wfooshee

Part and Inventory Search

Sponsor

Back
Top