Jump to content


Photo

www.search-instructor.com


  • Please log in to reply
11 replies to this topic

#1 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 08:54 AM

Hi, I have un little problem with my homepage...

It changed to http://www.search-in...ctor.com/user1/

Until here, it's ok. I used Ad-Aware (last version), SpyBot, CWShredder1590.exe, AboutBuster and fixed some Hijackthis Lines... after this my homepage is ok.

But the real problem is that Spyware homepage reappears after 2-3 mn after reboot (not directly), and Hijackthis lines who were fixed reappears too :/

So, this is my logs.

Logfile of HijackThis v1.97.7
Scan saved at 15:39:16, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\hrtcm.exe
C:\Program Files\RamBoost XP\rambxpfr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Programmes\Xfire\Xfire.exe
D:\Programmes\Amphibizorus\mirc.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Programmes\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-in...ctor.com/user1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-in...er1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-in...er1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-in...ctor.com/user1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-in...ctor.com/user1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-in...er1/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.fr/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [RamBoostXp] C:\Program Files\RamBoost XP\rambxpfr.exe
O4 - Global Startup: AOL 9.0 Icōne AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Mémento.lnk = C:\Program Files\Quicken 2000\billmind.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DCBF8-4443-4811-83EF-3EDD7565DAAC}: NameServer = 205.188.146.146



»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [version 5.1.2600]
Le type du systŠme de fichiers est NTFS.
C: est intŠgre.

29/06/2004
  3:43pm  up 0 days,  0:15

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...



»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

  »»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read         BUILTIN\Utilisateurs
(IO)    ALLOW  Read         BUILTIN\Utilisateurs
(NI)    ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir
(IO)    ALLOW  Read         BUILTIN\Utilisateurs avec pouvoir
(NI)    ALLOW  Full access  BUILTIN\Administrateurs
(IO)    ALLOW  Full access  BUILTIN\Administrateurs
(NI)    ALLOW  Full access  AUTORITE NT\SYSTEM
(IO)    ALLOW  Full access  AUTORITE NT\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrateurs
(IO)    ALLOW  Full access  CREATEUR PROPRIETAIRE

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read           BUILTIN\Utilisateurs
Read           BUILTIN\Utilisateurs avec pouvoir
Full access    BUILTIN\Administrateurs
Full access    AUTORITE NT\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group TRINOM\Aucun.
User is a member of group \Tout le monde.
User is a member of group BUILTIN\Administrateurs.
User is a member of group BUILTIN\Utilisateurs.
User is a member of group \LOCAL.
User is a member of group AUTORITE NT\INTERACTIF.
User is a member of group AUTORITE NT\Utilisateurs authentifiés.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

Le service sp‚cifi‚ n'existe pas en tant que service install‚.

[SC] GetServiceDisplayName FAILED 1060:

Le service sp‚cifi‚ n'existe pas en tant que service install‚.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrateurs
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x AUTORITE NT\SYSTEM
        Allow   00000000 t--- 001F01FF ---- DSPO rw+x TRINOM\Ruddy
        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATEUR PROPRIETAIRE
        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Utilisateurs
        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Utilisateurs
        Allow   00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Utilisateurs

    Owner: TRINOM\Ruddy

    Primary Group: TRINOM\Aucun



»»»»»»Backups created...»»»»»»
  3:48pm  up 0 days,  0:20
29/06/2004

A          C:\FINDnFIX\winBack.hiv
--a--    -   -   -               -   -      8,192 06-29-2004 winback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -   -   -               -   -        287 06-29-2004 winkey.reg

»»Performing  16bit string scan....

---------- WIN.TXT
fłAppInit_DLLsÖ?ęG
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota5

**File C:\FINDnFIX\WIN.TXT
                                     Ų’’’vk    €        fłAppInit_DLLsÖ?ęG   °  Š’’’vk          ĄUDeviceNotSelectedTimeoutš’’’1 5     # š’’’9 0    Ų^ Š’’’vk   €'      ŒóGDIProcessHandleQuota·ųĻą’’’vk    €      Ģ”Spooleråš’’’y e s   Ųįöw   °  ą  0  `  Ø  ą’’’vk   €        RæswapdiskŠ’’’vk           kāTransmissionRetryTimeoutą’’’°  ą  0  `  Ø  Č    Š’’’vk   €'      }’USERProcessHandleQuota5ø                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    




I can notice too, that this create a folder C:\junkxxx with nothing inside.

Please need help, thanks.
:techsupport:


[Edit : Hijackthis lines who reappears after rebooting are thoses
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://www.search-instructor.com/user1/]http://www.search-instructor.com/user1/[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL=http://www.search-instructor.com/user1/search.html]http://www.search-instructor.com/user1/search.html[/URL]
]

Edited by Trinom, 29 June 2004 - 08:58 AM.


#2 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 09:15 AM

Up, need to be helped :'(

#3 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 09:44 AM

Bump !

#4 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 10:46 AM

Please help me guys :weep:

I need to kill this f***** homepage at each reboot

Posted Image


Please please please please !

:techsupport:

#5 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 11:54 AM

Bump bump

#6 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 12:43 PM

Bummmmmmmmmmmp............

#7 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 01:48 PM

I don't want to flood, but I really need help :(
I gave all informations and nobody reply this post :weep:

Edited by Trinom, 29 June 2004 - 01:48 PM.


#8 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 02:52 PM

Bummmmmmmp...

:techsupport:

#9 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 03:13 PM

Blablabla....

:grrr:

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 June 2004 - 03:41 PM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-in...ctor.com/user1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-in...er1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-in...er1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-in...ctor.com/user1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-in...ctor.com/user1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-in...er1/search.html
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\hrtcm.exe <--this file

Restart normally and then ...

Download > CWShredder v1.59.1
http://www.spywarein.../cwshredder.zip
Unzip and run it then reboot and then ...

Update HijackThis:
Download > HijackThis 1.98
Unzip, if prompted to "replace existing" select: Yes then rescan and post a fresh log.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#11 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 05:20 PM

Oh great thanks for reply man ! :) :wave:

I just did it, I hope it will work !

I didnt think it cause of hrtcm... ^^

I think its ok, but I will see, thanks again ! ;)

#12 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 June 2004 - 05:32 PM

Hi,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button