Jump to content


Photo

hijacked homepage


  • Please log in to reply
9 replies to this topic

#1 byron harri

byron harri

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 June 2004 - 06:31 AM

My home page is always reset to 69.50.191.139
I've run Spybot
Read FAQ on this site too.
Checked boxes containing this url and asked hijackthis to fix, items removed but return on a restart
files have begun appearing in a folder on my desktop that I accessed when i downloaded Hijackthis. I must have deleted somethig??? When I tried to delete them from this folder copies appeared. When I emptied the trash more copies appeared I think. I now have many copies of copies (3 I think) and will not delete again.

Thanks for any suggestions


Logfile of HijackThis v1.97.7
Scan saved at 07:07:08, on 6/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\REMOTECONTROL\RCMAN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\STUFF THAT HELPS THE COMPUTER RUN\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=1009
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BMI Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.bmts.com"); (C:\Program Files\Netscape\Communicator\BMI Internet\prefs.js)
O2 - BHO: (no name) - {B25CC644-0639-48B7-89DF-B7F24BA2CF3B} - (no file)
O2 - BHO: (no name) - {d25d5de7-b23b-4021-9c74-876a9d410aae} - C:\WINDOWS\APPLICATION DATA\IEZPFOOEAO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: htoaoufthgd - {04f5a3a0-8933-43f3-94f8-fa8b05562358} - C:\WINDOWS\APPLICATION DATA\IEZPFOOEAO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {D4A31C0A-7C73-4702-9EFF-4F98DD229A23} - http://server2.myesp...bar2/myband.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 28 June 2004 - 07:21 PM

Hello,

You have a CoolWebSearch infection:

Please click here to download CWShredder by Merijn Bellekom. Boot into safe mode and then run the program,with all other windows closed, hitting 'fix' as opposed to 'scan only.' Then reboot and run the program a second time. Reboot when finished.

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives," "Scan active processes," "Scan registry," "Deep scan registry," "Scan my IE Favorites for banned sites" and "Scan my Hosts file."

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next, perform an online virus scan at Trend Micro and an online Trojan scan at Sygate. (Links are in my signature below). NOTE: You may have to allow Sygate to have access through your firewall, or disable your firewall. Be certain to re-enable the firewall once the scan has finished. Allow these programs to delete anything they may find. Reboot after each scan.

When finished, rescan with HijackThis and post a fresh log to this same thread.

#3 byron harri

byron harri

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2004 - 07:57 AM

Thanks, I'll proceed with your advice and will update you on this thread when all is completed

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 29 June 2004 - 02:04 PM

Hi,

When you've finished with all of the above, and you're ready to post a new HJT log, please remove your current version of HJT (1.97.7) and replace it with version 1.98, just released today.

#5 byron harri

byron harri

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2004 - 10:11 PM

I hope I did all you said. I was interupted a few times and had to leave the machine. Each process happened, and I believe the machine was rebooted between each. Ad-aware found about 350 items - they were removed except for one, but it did not show up on a second scan that happened automatically on the reboot ??? Trend Micro found nothing, but did scan. I had used this utility before. I regularly run Spybot too, and keep it up to date. I had less luck with sygate. I tried 3 times, but it claimed I was blocking its attempts. I do not have a firewall installed, to my knowledge. I do get warning from Spybot about items that are trying tgo get in ( Avenue A etc.) I always say no. No idea why Sygate wouldn't scan.

I downloaded the latest Hijack This and ran it. I did not fix anything. but attach the log file generated below. All these backup files are appearing in the folder that hijack this is in. Is this supposed to happen?

Thanks for your attention to my situation.

byron

Logfile of HijackThis v1.98.0
Scan saved at 22:39:02, on 6/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\REMOTECONTROL\RCMAN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\WINDOWS\DESKTOP\STUFF THAT HELPS THE COMPUTER RUN\HJT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BMI Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.bmts.com"); (C:\Program Files\Netscape\Communicator\BMI Internet\prefs.js)
O2 - BHO: (no name) - {B25CC644-0639-48B7-89DF-B7F24BA2CF3B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro...usecall_pre.php (file missing)
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {D4A31C0A-7C73-4702-9EFF-4F98DD229A23} - http://server2.myesp...bar2/myband.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 30 June 2004 - 12:47 AM

Hello,

You're welcome. :D

Don't worry about the Trojan scan. You can download a free trial of TrojanHunter here: http://www.misec.net/ Manually update the definitions and then perform a scan. Allow the program to delete all that it may find. Reboot when finished.

Yes, backup files will be created in the HJT folder. This is normal.

You may want to consider uninstalling Messenger Plus. See this post: http://www.spywarein...june-2003/3.php After uninstalling it in Add/Remove Programs, also fix the items highlighted in RED below.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Please run HijackThis in safe mode and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.139/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.139/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.139/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.139/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.191.139/search.php

O2 - BHO: (no name) - {B25CC644-0639-48B7-89DF-B7F24BA2CF3B} - (no file)

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=1009 (file missing)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro...usecall_pre.php (file missing)

O16 - DPF: {D4A31C0A-7C73-4702-9EFF-4F98DD229A23} - http://server2.myesp...bar2/myband.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab


Next, change your settings to show hidden files and folders and delete the following:

C:\Program Files\Messenger Plus! 2\ < folder

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot.

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

Reboot when finished.

Scan with HijackThis and post a fresh log into this same thread.

#7 byron harri

byron harri

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 10:05 AM

Completed all you suggested. I emptied the temp files you suggested

C:\windows\temp
C:\Temp
also Internet Temps, including online content
also a temp file AUHOOK that had a bunch of zip files etc. Proprties said it was created yesteday in the afternoon, when one of the kids was on the machine. I just notice the same word showing up at the bottom of the log file, which was made after I deleted the said temp files. Any significance?

Using TEMP in a search yields a few other folders called Temp - in my Email program (eudora), and in a filemaker pro program I use extensively in my work related duties. Should these be emptied as well? I have not done this as yet.

Two critical updates were installed.

I read the article on messenger plus. I deleted the folder you suggested in Program files - but - I have not uninstalled Messenger Plus Using Add/Uninstall.

When I did try, it gave me a message that the program had been altered, perhaps by some other advertising program or remover, and then suggest it could try to fix this problem. Failing this I should reinstall the program from the sponsor and then try to uninstall again. In the error message there was a spelling/grammatical error that made me suspicious. It said if you have any complains (sic) instead of complaints I should ....
the origin origin of this message was unclear. Should I let it try to fix itself or take some other action?

Thanks again. So far so good. Current log file pasted below

Byron


Logfile of HijackThis v1.98.0
Scan saved at 10:49:01, on 6/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\REMOTECONTROL\RCMAN.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\WINDOWS\DESKTOP\STUFF THAT HELPS THE COMPUTER RUN\HJT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BMI Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.bmts.com"); (C:\Program Files\Netscape\Communicator\BMI Internet\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro...eCallButton.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#8 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 30 June 2004 - 02:04 PM

Hello,

You're very welcome! Posted Image Your log is looking good now.

The file, AUHOOK.DLL, is a valid windows file. As for files in Temp folders. They should be okay to delete as the idea behind a Temp folder is to provide temporary storage for short-term files. Any temp file you're not sure about, just leave in the Recycle Bin for a few days to make sure it's really not needed. If it is, you can restore it. After a few days, empty the Recycle Bin.

You can boot into Safe Mode and see if you can then remove Messenger Plus in Add/Remove Programs. If you can't, don't be concerned about it as you have removed the folder and all its contents.

Go here: http://java.com/en/index.jsp and read the FAQs and all other info regarding the Java Virtual Machine. (Click on the links in the bright green box on the upper right). Your system will be more secure if you use this free software to replace the one provided by Microsoft.

Download IE-SPYAD here: http://www.staff.uiu...rce.htm#IESPYAD

It will place over 5000 sites in your restricted zone so that you don't accidentally visit innocent appearing sites that aren't really innocent.

Scan often with Spybot Search and Destroy and Ad-aware to remove malware before it gains a foothold on your computer. (Links below). Install SpywareBlaster and SpywareGuard to keep baddies from invading your system. (Links below).

Make sure you keep your system updated by frequent visits to the Windows Update site (see link below). Always install ALL critical updates.

You don't appear to be running a firewall. I suggest you use one of the excellent free firewalls the links for which are in my signature below.

Please take a minute or two to read the short article, "How did I get infected in the first place?" (See link in my signature below). You will find good information on keeping your system clean in the future, as well as links for excellent free anti-spyware tools.

:wave:

#9 byron harri

byron harri

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 08:45 PM

Thanks a lot. I'll do as you suggest with the java downloads. I already use spybot with some regularity. I've noticed that there has not been an updated file in some weeks now. I always have clean scans now, but when I first used it I had dozens (many) of bad items. I'll use ad-aware now too. I'll try to educate myself about firewalls too. I had one for a short while but thought it inconvenient at the time, but in light of the time I spent following your directions, and the time you must spend guiding the uninformed through these steps, the firewall perhaps does not seem as inconvenient. I'm sure too there must be ways to optimize the settings to have it work for you. I'll just have to learn. I was (and at work still am an Apple user) It has been a long road learning the ins and outs of my PC. But I do enjoy learning, and have appreciated your excellent guidance.
I'll post again if there is a problem, but all appears to be well for the moment.

Thanks again,

Byron

#10 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 30 June 2004 - 09:08 PM

Byron,

You're very welcome. I'm glad we could help.

On the Spybot S&D, check and make sure you're using version 1.3 as earlier versions are no longer being supported with updates.

I think you're doing super great for someone who's not oriented to the ways of the PC. I haven't used an Apple in years, and I shudder at the thought of having to relearn that OS from scratch!

Yes, a firewall is very important. I'm sure it won't take you long to get the hang of using one. Zone Alarm is probably the easier one to start out with.

:wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button