Jump to content


Photo

hi-jack home page


  • Please log in to reply
4 replies to this topic

#1 mikej

mikej

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 July 2004 - 11:40 PM

I have read the FAQ and followed the directions. I have run updated Adaware, ot, Spysweeper and Hijackthis. Nothing has yet fixed the problem.

I am running Windows XP.

At various times my home page gets hijacked to "about: blank". At the same time the search pages are changed as well.

I am intercepting these changes with Spysweeper but it is a constant battle.

In addition the Hijack program tries to deposit favorites on the Favorite page with titles such as easysearch, casino, viagra, spyware. I also get a pop up menu that tries to direct me to Spyware.

I get a windows file protection message saying I am infected with subsearch, money tree, aornum, win 32/aspam. trojan

Logfile of HijackThis v1.97.7
Scan saved at 9:24:57 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Webshots\WebshotsTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\taskmgn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: (no name) - {E9B3800B-EF82-49F7-94E8-D5399053306C} - C:\WINDOWS\System32\mfplay.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7922.4655671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 LOW MOLE

LOW MOLE

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 July 2004 - 12:11 AM

1. Open Task Manager and kill the following processes: (not all of them may be running)
a. msmk.dll
mess.exe
taskngr.exe or taskmgn.exe (not taskmgr.exe which is normal)
telnetxp.exe
reinstall.exe
2. Next go to Start -> Run and open a command prompt.
a. At the command prompt type in: regsvr32 msmk.dll /u
3. Now you’ll need to browse to C:\windows\system32 and delete the following files
a. mess.exe
taskngr.exe or taskmgn.exe (not taskmgr.exe which is normal)
telnetxp.exe
reinstall.exe
b. You won’t be able to delete the msmk.dll file yet.
4. Now browse to C:\Windows\Prefetch and delete any files that start with the same names as above.
a. Ex: telnetxp.exe-00000000.pf
5. Now you’ll need to reboot
6. After the reboot browse to C:\windows\system32 and delete the msmk.dll file.
7.Now open internet explorer and then Tools -> Internet options
a. Go to the “Programs” tab and click the “Reset web settings…” button.
b. This will clear out all the setting the msmk.dll file overwrote.

#3 mikej

mikej

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 July 2004 - 12:46 AM

What is task manger and where is it

#4 LOW MOLE

LOW MOLE

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 10 July 2004 - 10:03 AM

Depress the "Ctrl," "Alt," and "Delete" keys at the same time to bring up your task manager.

Then click on the "Processes" tab.

This will pull up a list of all the processes currently running on your system.

Click on any or all of the following processes which may be running:
a. msmk.dll
mess.exe
taskngr.exe or taskmgn.exe (not taskmgr.exe which is normal)
telnetxp.exe
reinstall.exe

(Remember, you may not find ALL of those processes running so don't worry if you only find one of them. You probably won't find all 6 running.)

Edited by LOW MOLE, 10 July 2004 - 10:07 AM.


#5 mikej

mikej

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 July 2004 - 10:53 AM

gpt into task manager ok and then into run

regsvr32msmk.dll/u module could not be found I think I need alot of help would wiping hard drive be an option and how do i do this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button