Jump to content


Photo

Unwanted browser


  • This topic is locked This topic is locked
3 replies to this topic

#1 Wicka

Wicka

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 08:23 PM

I have read the FAQ section before posting this topic.
Each time I start my computer it resets my IE browser to an unwanted site: - http://morefinders.com.
I have downloaded, updated and run CWShredder, Spybot S&D, AdAware & HiJackThis. These programs fix the problem until the next reboot. I have attached the HiJackThis log for perusal. Thanks. Wicka

HiJackThis before fixing.
Logfile of HijackThis v1.97.7
Scan saved at 4:39:20 PM, on 29/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS.000\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\WINDOWS.000\START MENU\PROGRAMS\PC PROTECTION\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ninemsn.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.ninemsn.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.ninemsn.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ninemsn.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS.000\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS.000\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [scvhost] C:\WINDOWS.000\SYSTEM\scvhost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7993.6077314815
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

HiJackThis after fixing
Logfile of HijackThis v1.97.7
Scan saved at 10:56:59 AM, on 29/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS.000\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\WINDOWS.000\START MENU\PROGRAMS\PC PROTECTION\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ninemsn.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.ninemsn.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.ninemsn.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ninemsn.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ninemsn.com.au/
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS.000\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS.000\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [scvhost] C:\WINDOWS.000\SYSTEM\scvhost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7993.6077314815
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

CWShredder before and after scan & fix.

CWShredder v1.59.1 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.or.../hijackthis.zip
http://www.spywarein.../hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS.000
Windows system dir: C:\WINDOWS.000\SYSTEM
AppData folder: C:\WINDOWS.000\Application Data
Username: Warrick

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,Search
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer,Search
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://morefinders.com
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://morefinders.com
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http://morefinders.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Infected data: http://morefinders.com/search.html
Found Hosts file: C:\WINDOWS.000\hosts (27348 bytes, R)
Found Win.ini file: C:\WINDOWS.000\win.ini (7992 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=hpfsched
Found System.ini file: C:\WINDOWS.000\system.ini (2125 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

Message after scan & fix.
Done!
Removed from your system:
- 16 infected IE registry values

Attached Files


Edited by Wicka, 29 June 2004 - 06:17 PM.


#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 28 June 2004 - 10:59 PM

Could you insert the log via copy-and-paste instead of including the log as an attachment? It makes things easier for the experts here. Thanks.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 jack0

jack0

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 June 2004 - 11:28 PM

Wicka, i had a look through your HiJackThis log file and i can not see anything that would cause your browser to redirect to a different website. All seems fine.
Wicka, is this log file created after or before you use CWShredder, Spybot S&D, AdAware? If you want more help post a log file after you reboot and after you have cleaned it so i can a closer look.

ps. after you use CWShredder, Spybot S&D and AdAware etc... goto Windows Update Site and install all the patches for internet explorer because it is no use just cleaning your computer, and not fixing the exploits used to infect your computer in the first place.

Jack

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 October 2004 - 04:30 AM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button