• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Trinom

www.search-instructor.com

12 posts in this topic

Hi, I have un little problem with my homepage...

 

It changed to http://www.search-instructor.com/user1/

 

Until here, it's ok. I used Ad-Aware (last version), SpyBot, CWShredder1590.exe, AboutBuster and fixed some Hijackthis Lines... after this my homepage is ok.

 

But the real problem is that Spyware homepage reappears after 2-3 mn after reboot (not directly), and Hijackthis lines who were fixed reappears too :/

 

So, this is my logs.

 

Logfile of HijackThis v1.97.7

Scan saved at 15:39:16, on 29/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe

C:\Program Files\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\hrtcm.exe

C:\Program Files\RamBoost XP\rambxpfr.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Programmes\Xfire\Xfire.exe

D:\Programmes\Amphibizorus\mirc.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Programmes\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-instructor.com/user1/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-instructor.com/user1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-instructor.com/user1/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-instructor.com/user1/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-instructor.com/user1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-instructor.com/user1/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.fr/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [RamBoostXp] C:\Program Files\RamBoost XP\rambxpfr.exe

O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Mémento.lnk = C:\Program Files\Quicken 2000\billmind.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing

O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DCBF8-4443-4811-83EF-3EDD7565DAAC}: NameServer = 205.188.146.146

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [version 5.1.2600]

Le type du systŠme de fichiers est NTFS.

C: est intŠgre.

 

29/06/2004

  3:43pm  up 0 days,  0:15

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    AppInit_DLLs =

    DeviceNotSelectedTimeout = 15

    GDIProcessHandleQuota = REG_DWORD 0x00002710

    Spooler = yes

    swapdisk =

    TransmissionRetryTimeout = 90

    USERProcessHandleQuota = REG_DWORD 0x00002710

 

  »»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI)    ALLOW  Read         BUILTIN\Utilisateurs

(IO)    ALLOW  Read         BUILTIN\Utilisateurs

(NI)    ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir

(IO)    ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir

(NI)    ALLOW  Full access  BUILTIN\Administrateurs

(IO)    ALLOW  Full access  BUILTIN\Administrateurs

(NI)    ALLOW  Full access  AUTORITE NT\SYSTEM

(IO)    ALLOW  Full access  AUTORITE NT\SYSTEM

(NI)    ALLOW  Full access  BUILTIN\Administrateurs

(IO)    ALLOW  Full access  CREATEUR PROPRIETAIRE

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read           BUILTIN\Utilisateurs

Read           BUILTIN\Utilisateurs avec pouvoir

Full access    BUILTIN\Administrateurs

Full access    AUTORITE NT\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group TRINOM\Aucun.

User is a member of group \Tout le monde.

User is a member of group BUILTIN\Administrateurs.

User is a member of group BUILTIN\Utilisateurs.

User is a member of group \LOCAL.

User is a member of group AUTORITE NT\INTERACTIF.

User is a member of group AUTORITE NT\Utilisateurs authentifiés.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

Le service sp‚cifi‚ n'existe pas en tant que service install‚.

 

[sC] GetServiceDisplayName FAILED 1060:

 

Le service sp‚cifi‚ n'existe pas en tant que service install‚.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

    Permissions:

        Type    Flags    Inh. Mask     Gen. Std. File Group or User

        ======= ======== ==== ======== ==== ==== ==== ================

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrateurs

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x AUTORITE NT\SYSTEM

        Allow   00000000 t--- 001F01FF ---- DSPO rw+x TRINOM\Ruddy

        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATEUR PROPRIETAIRE

        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Utilisateurs

        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Utilisateurs

        Allow   00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Utilisateurs

 

    Owner: TRINOM\Ruddy

 

    Primary Group: TRINOM\Aucun

 

 

 

»»»»»»Backups created...»»»»»»

  3:48pm  up 0 days,  0:20

29/06/2004

 

A          C:\FINDnFIX\winBack.hiv

--a--    -   -   -               -   -      8,192 06-29-2004 winback.hiv

A          C:\FINDnFIX\keys1\winkey.reg

--a--    -   -   -               -   -        287 06-29-2004 winkey.reg

 

»»Performing  16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

GDIProcessHandleQuota

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota5

 

**File C:\FINDnFIX\WIN.TXT

                                     Øÿÿÿvk    €       fùAppInit_DLLsÖ?æG   °  Ðÿÿÿvk         ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5    # ðÿÿÿ9 0   Ø^ Ðÿÿÿvk   €'     ŒóGDIProcessHandleQuota·øÏàÿÿÿvk    €     Ì”Spooleråðÿÿÿy e s   Øáöw   °  à  0  `  ¨  àÿÿÿvk   €       R¿swapdiskÐÿÿÿvk          kâTransmissionRetryTimeoutàÿÿÿ°  à  0  `  ¨  È    Ðÿÿÿvk   €'     }ÿUSERProcessHandleQuota5¸                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    

 

 

I can notice too, that this create a folder C:\junkxxx with nothing inside.

 

Please need help, thanks.

:techsupport:

 

 

[Edit : Hijackthis lines who reappears after rebooting are thoses

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]

]

Edited by Trinom

Share this post


Link to post
Share on other sites

Please help me guys :weep:

 

I need to kill this f***** homepage at each reboot

 

Screenshot0001.jpg

 

 

Please please please please !

 

:techsupport:

Share this post


Link to post
Share on other sites

I don't want to flood, but I really need help :(

I gave all informations and nobody reply this post :weep:

Edited by Trinom

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-instructor.com/user1/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-instructor.com/user1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-instructor.com/user1/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-instructor.com/user1/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-instructor.com/user1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-instructor.com/user1/search.html

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\hrtcm.exe <--this file

 

Restart normally and then ...

 

Download > CWShredder v1.59.1

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Unzip and run it then reboot and then ...

 

Update HijackThis:

Download > HijackThis 1.98

Unzip, if prompted to "replace existing" select: Yes then rescan and post a fresh log.

Share this post


Link to post
Share on other sites

Oh great thanks for reply man ! :):wave:

 

I just did it, I hope it will work !

 

I didnt think it cause of hrtcm... ^^

 

I think its ok, but I will see, thanks again ! ;)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0