• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
metalrickie

F*ckin' Hijacker

4 posts in this topic

I got a browser hijacker a couple of days ago and need some help to remove it... I've downloaded several spyware programs and re-installed IE but it didn't help.. So if someone could help me, plz help me.....

 

Here's my log file from Hijackthis:

 

Logfile of HijackThis v1.98.0

Scan saved at 19:40:43, on 2004-07-13

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

D:\RICHARDS MAPP\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

D:\MINA DOKUMENT\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directwebsearch.net/search.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blocket.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dka.directwebsearch.net/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directwebsearch.net/search.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F1 - win.ini: run=hpfsched

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\RICHAR~2\PROGRAM\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [VsecomrEXE] C:\Program\Network Associates\McAfee VirusScan\VSEcomR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [VsStatEXE] C:\Program\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

O4 - HKLM\..\RunServices: [HC Reminder] hc.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunOnce: [test]

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Richards mapp\Program\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [test]

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\PROGRAM\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

 

 

 

I hope you can help me with this.... I would be really grateful if you could.....

 

Thank you.....

Share this post


Link to post
Share on other sites

Hi there,

 

I need you to do this first;

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dka.directwebsearch.net/search.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dka.directwebsearch.net/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directwebsearch.net/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dka.directwebsearch.net/search.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directwebsearch.net/search.php

O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

 

 

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL<<<<You are running MyWebSearch (or MyBar). This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar. I recommend that you remove it. Here are the components to fix with HJT and you will need to remove the main program as well:

 

 

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

O4 - HKLM\..\RunOnce: [test]

O4 - HKLM\..\RunOnce: [test]

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

 

 

Restart your computer in

Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

 

Not all or any of these may still show,

 

 

C:\PROGRAM\MYWAY\MYBAR\1.BIN\MYBAR.DLL<<<<Folder

C:\WINDOWS\SYSTEM\winupd.exe<<<<File

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

It seemed to work :) Thank you for helping me out...

 

Here's my log file:

 

Logfile of HijackThis v1.98.0

Scan saved at 22:53:21, on 2004-07-16

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

D:\RICHARDS MAPP\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\PROFILES\RICKIE\SKRIVBORDET\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blocket.se/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.blocket.se

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F1 - win.ini: run=hpfsched

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\RICHAR~2\PROGRAM\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [VsecomrEXE] C:\Program\Network Associates\McAfee VirusScan\VSEcomR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [VsStatEXE] C:\Program\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [OmgStartup] C:\Program\Vanliga filer\Sony Shared\OpenMG\OmgStartup.exe

O4 - HKLM\..\RunServices: [HC Reminder] hc.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] d:\Richards mapp\Program\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\PROGRAM\INTERN~1\Plugins\NPDocBox.dll

 

 

 

And thanks again for helping me :D

Share this post


Link to post
Share on other sites

Your log is clean now, to help keep it that way do this:

 

To provide future protection - I would advise you to download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

 

IE-SPYAD puts over 5000 sites in your restricted zone, if you use IE, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download

Here

 

Both are very small free programs that you run once, and then just weekly to check for updates.

 

And also see

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0