Jump to content


Photo

browser hijacked


  • This topic is locked This topic is locked
5 replies to this topic

#1 karl123

karl123

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 July 2004 - 03:03 PM

I guess i have a basic browser hijack. this site has already been a huge help, but i still have this last nagging problem.

Here's the log. Thanks again!

Logfile of HijackThis v1.98.0
Scan saved at 3:29:29 PM, on 7/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\WINEXPLOR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mysoft] C:\WINDOWS\SYSTEM32\WINEXPLOR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix: http://www.microsoit...direct.php?url=
O13 - WWW Prefix: http://www.microsoit...direct.php?url=
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab

#2 karl123

karl123

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 August 2004 - 04:24 PM

bump

#3 canoeingkidd

canoeingkidd

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 692 posts

Posted 05 August 2004 - 08:06 PM

Hello karl123,

Just a few things to get rid of.

Run HijackThis and place a check next to the following entries:

O4 - HKLM\..\Run: [mysoft] C:\WINDOWS\SYSTEM32\WINEXPLOR.EXE
O13 - DefaultPrefix: http://www.microsoit...direct.php?url=
O13 - WWW Prefix: http://www.microsoit...direct.php?url=
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab


Close all browsers and windows and click "Fix Checked".

Reboot into Safe mode by following the instructions on this page - http://service1.syma...src=sec_doc_nam

While in Safe mode delete the file in bold.
C:\WINDOWS\SYSTEM32\WINEXPLOR.EXE

Restart your computer.

There is a new version of HijackThis available. Download it at http://www.downloads.../hijackthis.zip and replace your existing version with it.

Post a new HijackThis log. :D

#4 karl123

karl123

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 August 2004 - 01:13 PM

Hey thanks man that seemed to do the trick. No problems so far.
I ran a new scan with the new version and got this...

Logfile of HijackThis v1.98.2
Scan saved at 12:45:51 PM, on 8/10/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [mysoft] C:\WINDOWS\SYSTEM32\WINEXPLOR.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix: http://www.microsoit...direct.php?url=
O13 - WWW Prefix: http://www.microsoit...direct.php?url=
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab

3 of the 4 are back but they aren't causing any problems so far. Sorry I was late getting back to this, but I thought I would give it a couple of days. Anyway thanks again for taking time to help me out.

#5 canoeingkidd

canoeingkidd

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 692 posts

Posted 10 August 2004 - 08:32 PM

Did you manage to reboot into Safe mode and delete the file? :huh:

Do those instructions for booting into safe mode make sense?

Edited by canoeingkidd, 11 August 2004 - 05:25 PM.


#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 25 October 2004 - 04:37 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button