Jump to content


Photo

F*ckin' Hijacker


  • Please log in to reply
3 replies to this topic

#1 metalrickie

metalrickie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 01:11 PM

I got a browser hijacker a couple of days ago and need some help to remove it... I've downloaded several spyware programs and re-installed IE but it didn't help.. So if someone could help me, plz help me.....

Here's my log file from Hijackthis:

Logfile of HijackThis v1.98.0
Scan saved at 19:40:43, on 2004-07-13
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
D:\RICHARDS MAPP\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
D:\MINA DOKUMENT\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directweb....net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blocket.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dka.directweb...h.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directweb....net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\RICHAR~2\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [test] 
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Richards mapp\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [test] 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRAM\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -



I hope you can help me with this.... I would be really grateful if you could.....

Thank you.....

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 13 July 2004 - 08:00 PM

Hi there,

I need you to do this first;
Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dka.directweb...h.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directweb....net/search.php
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)


O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL<<<<You are running MyWebSearch (or MyBar). This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar. I recommend that you remove it. Here are the components to fix with HJT and you will need to remove the main program as well:


O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\RunOnce: [test] 
O4 - HKLM\..\RunOnce: [test] 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,


C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL<<<<Folder
C:\WINDOWS\SYSTEM\winupd.exe<<<<File

Reboot, then post a fresh logfile so that I can check to see if it is clean.

#3 metalrickie

metalrickie

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 17 July 2004 - 03:50 PM

It seemed to work :) Thank you for helping me out...

Here's my log file:

Logfile of HijackThis v1.98.0
Scan saved at 22:53:21, on 2004-07-16
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
D:\RICHARDS MAPP\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PROFILES\RICKIE\SKRIVBORDET\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blocket.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\RICHAR~2\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmgStartup] C:\Program\Vanliga filer\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Richards mapp\Program\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRAM\INTERN~1\Plugins\NPDocBox.dll



And thanks again for helping me :D

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 17 July 2004 - 04:29 PM

Your log is clean now, to help keep it that way do this:

To provide future protection - I would advise you to download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

IE-SPYAD puts over 5000 sites in your restricted zone, if you use IE, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download
Here

Both are very small free programs that you run once, and then just weekly to check for updates.

And also see
So how did I get infected in the first place?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button