| hijackthis. adaware false positive?Should I ignoreI ran adaware with the latest definitions. It apparently found these [b]2 entries. [/b]
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\In
*ternet Explorer\Main"Start Page" ("about:blank") Possible browser hijack attempt
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\I
*nternet Explorer\Search"SearchAssistant" ("about:blank") Possible browser hijack attempt
(*) WARNING 2 long line(s) split
I removed them. When I removed them, spyware guard popped a message saying that my start up page was being changed from "about.blank" to some "http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0809&pver=6.0&ar=home" page....
I allowed the change to happen. Then I checked my startup page in "internet options". It was changed to "http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0809&pver=6.0&ar=home"
I changed the startup page back to "about.blank".
I ran adaware again. This time, adaware reported one spyware.
Possible Browser Hijack attempt RegData Data Miner HKEY_CURRENT_USER:Software\Microsoft\I
*nternet Explorer\Main"Start Page" ("about:blank") Possible browser hijack attempt
(*) WARNING 1 long line(s) split
I think it may be an adaware false positive. I am also posting the hijackthis log along with the startup list...
Do you find anything unusual in those entries? Should I add that entry to my adaware ignore list??
Logfile of HijackThis v1.97.7
Scan saved at 16:59:33, on 11/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Quotes\quotes.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
D:\nirjhar\misc\software\Security_Privacy_Registry\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Expl
*orer provided by Frank Sinatra
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher
*=localhost:1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acro
*bat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - D:\Program Files\Shareaza\P
*lugins\RazaWebHook.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\P
*rogram Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\goo
*gletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Ant
*iVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.
*ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files
*\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\g
*oogletoolbar2.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [D:\Program Files\Quotes\quotes.exe] D:\Program Files\Quotes\quotes.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Download with &Shareaza - res://D:\Program Files\Shareaza\Pl
*ugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownloa
*d.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Offi
*ce10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbro
*wse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcquest.com
O15 - Trusted Zone: *.windowsupdate.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate
*.microsoft.com/CAB/x86/unicode/iuctl.CAB?37987.4171875
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://downlo
*ad.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
(*) WARNING 16 long line(s) split
-
d00by
--
XP Pro SP1a|ZA Pro|Proxo 4.5 JD5000 config|Pentium 3| 256 MB SDRAM ||SM-352B CDRW/DVD Combo Drive || ----- "If you made a better rat than a human, that's not much to boast about."- Sirius Black |
|
2 edits | I guess thats a bug. "about:blank" is a legitimate Start Page in IE. It is set when you select "Use Blank" for homepage in the IE Settings.
It also found it on my box after scanning with the latest ref file.
According to the Ad-Aware description:
quote:
Category: Data Miner
Description:Possible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.
Sounds like a strange URL to be "blacklisted"
--
From the GSV "Ethics Gradient" |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to trooper1
It is basically a fp
»False Postive in latest Ad-Aware Release? |
|
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to trooper1
Just add it to your ignore list or change your Start Page to an actual URL. If you follow the link provided by John2g  , Aaron Hulett from Lavasoft provided the explanation for it.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
| reply to trooper1
There may be more here than you are realizing folks.
I am having all the same symptoms here. One thing the first person didn't mention is whether he CAN change his home page.
I cannot.
I run adaware, and it fixes the problems and the 'malware' registry entries. If I run adaware again, it is fixed. the problems are gone. I reset my home page to be blank.
But within a few minutes, my home page is set to MSN again.
When I open a new browser, that is where I go, and the settings for my home page are again as described in the original message here.
There is indeed a spyware/malware/hijack problem here, that keeps re-inserting itself. at least for me. |
|
John2gQui Tacet ConsentitPremium
join:2001-08-10
England | said by stever434:
There may be more here than you are realizing folks.
I don't think so. SpyBot srarted detecting the same registry key some months ago. In my case, and a few other people, it was detecting an entry by ScriptSentry.
I reckon you have some other problem.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to stever434
said by stever434:
I run adaware, and it fixes the problems and the 'malware' registry entries. If I run adaware again, it is fixed. the problems are gone. I reset my home page to be blank.
But within a few minutes, my home page is set to MSN again.
When I open a new browser, that is where I go, and the settings for my home page are again as described in the original message here.
There is indeed a spyware/malware/hijack problem here, that keeps re-inserting itself. at least for me.
Can you post your ad-aware log of what it is finding and removing? Also, have you tried CWShredder? You can download it at »www.spywareinfo.com/~merijn/file···dder.zip
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
 jeisenbergNew Year's Eve
join:2001-07-06
Windsor, ON
 ·Cogeco Cable
| reply to trooper1
I'm going to suggest a more innocent possibility. We all know that occasionally (based on some algorithm), the IE browser automatically goes to the Windows Update site. Since starting to use the new Spybot 1.3, which offers protection against unauthorized changes to the registry, I noticed an attempt to write a similar URL to my registry. I gave Spybot permission to allow the change, and the next time I started IE, I was taken to the Windows Update site.
The URL I saw seemed very similar to the one shown in the "warning message" posted by d00by.
Hey, if anyone was trying to hijack a machine, why the heck would they send you to MSN? |
|
| hey guys, I kinda got the same problem here. Adawere keeps telling me that there is an infected file on my pc. Then it removes it. But when i go to my Internet browser it jumps on google.com ( my main start page ) for just once. The next time it goes to that funky blank page. Now how can i stop this? |
|
