• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Pokredde

ishost help + Startpage hijacking

Recommended Posts

Hello

 

Can anyone look at this HijackThis log?

 

Have tried to get rid of ishost for 2 days (have deleted ishost.exe in safe mode) and my default startpage keeps changing.

 

My Mcafee virusprogram keeps finding Trojans :)

 

Thanks in advance....

 

Logfile of HijackThis v1.99.1

Scan saved at 21:47:05, on 20-06-2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmer\Network Associates\Common Framework\FrameworkService.exe

C:\Programmer\Network Associates\VirusScan\Mcshield.exe

C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Programmer\Sygate\SPF\Smc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe

C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE

C:\Programmer\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe

C:\Programmer\AnyDVD\AnyDVD.exe

C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe

C:\Programmer\iTunes\iTunesHelper.exe

C:\Programmer\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE

C:\Programmer\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programmer\Internet Explorer\iexplore.exe

C:\Documents and Settings\Tonni Brastgaard\Skrivebord\Ny mappe (3)\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui

O4 - HKLM\..\Run: [shStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Programmer\AnyDVD\ElbyCheck.exe" /L AnyDVD

O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\AnyDVD\AnyDVD.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: PopupDummy!.lnk = C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe

O9 - Extra button: PopupDummy! - {3C75C1F5-6D83-11d6-9855-00065B6980E9} - C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE (HKCU)

O9 - Extra 'Tools' menuitem: PopupDummy! - {3C75C1F5-6D83-11d6-9855-00065B6980E9} - C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE (HKCU)

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\Smc.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Share this post


Link to post
Share on other sites

Hello,

 

Have tried to get rid of ishost for 2 days (have deleted ishost.exe in safe mode) and my default startpage keeps changing.

 

Where is that ishost located? What extension does it have? What scanner tells you this is infected and what infection is it?

Also, what startpage do you get?

keep in mind, you have several realtime scanners running in the background like spysweeper and Superantispyware. They watch your startpage and every attempt to change it, even if you change it yourself, it will block the changes again.

 

That's why, when spysweeper or Superantispyware is alerting you that the startpage has been changed and if you would like to reset the old value, click NO!

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O20 - Winlogon Notify: winmmz32 - winmmz32.dll (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Delete the contents of this folder, don't delete the folder itself:

 

C:\WINDOWS\temp

 

Post a new hijackthislog in your next reply.

Share this post


Link to post
Share on other sites

Hi miekiemoes

 

Thanks for your reply.

 

The file ishost.exe was located in c:\windows\system32

I have deleted it manually in safemode.

 

My Sygate firewall was constantly telling me that ishost.exe was trying to contact sertain ip-adresses.

Therefore i googled it and found this details about ishost.exe

http://www.sophos.com/security/analyses/trojzlobnr.html

 

I have installed spysweeper and superantispyware to get rid of it.

 

Now my antispyware programs keep telling me that my startpage has been changed, and eventhough i click no every time - it just pops up again :)

 

I have followed your instructions about HijackThis and my c:\windows\temp was already empty.

 

Here is a new log:

 

Logfile of HijackThis v1.99.1

Scan saved at 17:33:17, on 21-06-2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programmer\Network Associates\Common Framework\FrameworkService.exe

C:\Programmer\Network Associates\VirusScan\Mcshield.exe

C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programmer\Sygate\SPF\Smc.exe

C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe

C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE

C:\Programmer\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe

C:\Programmer\AnyDVD\AnyDVD.exe

C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe

C:\Programmer\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programmer\Internet Explorer\iexplore.exe

C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE

C:\WINDOWS\SYSTEM32\notepad.exe

C:\Programmer\Internet Explorer\iexplore.exe

C:\Programmer\Internet Explorer\iexplore.exe

C:\Documents and Settings\Tonni Brastgaard\Skrivebord\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portfolio.smorumnet.dk/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui

O4 - HKLM\..\Run: [shStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Programmer\AnyDVD\ElbyCheck.exe" /L AnyDVD

O4 - HKLM\..\Run: [AnyDVD] "C:\Programmer\AnyDVD\AnyDVD.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Programmer\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: PopupDummy!.lnk = C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe

O9 - Extra button: PopupDummy! - {3C75C1F5-6D83-11d6-9855-00065B6980E9} - C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE (HKCU)

O9 - Extra 'Tools' menuitem: PopupDummy! - {3C75C1F5-6D83-11d6-9855-00065B6980E9} - C:\Programmer\PopupDummy!\PopupDummy! 2.62.EXE (HKCU)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\Smc.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Webroot\Spy Sweeper\WRSSSDK.exe

Share this post


Link to post
Share on other sites
Now my antispyware programs keep telling me that my startpage has been changed, and eventhough i click no every time - it just pops up again

 

Well, you should click yes... because as I said before, you modify your startpage and then you tell your spywarescanners afterwards NO, which means, block the modification and set it back as it was before.

 

your hijackthislog looks clean.

Share this post


Link to post
Share on other sites
Sign in to follow this