Jump to content


Photo

Homepage help


  • Please log in to reply
3 replies to this topic

#1 icarus0

icarus0

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 May 2004 - 05:37 PM

Hi.

Any help on the following would be much appreciated.

My IE6 homepage is defaulting to some search page ('about:blank' comes up in the address bar) and any attempt to restore it to my normal homepage is unsuccessful. Occassionally, while connected to the 'net, a window will appear informing me that my computer is affected with spyware and adware with a link back to this surf engine.

Ad-aware detects 3 objects but no matter how many times they are deleted, always seem to return.

My hijackthis log file is:

ogfile of HijackThis v1.97.7
Scan saved at 23:29:33, on 28/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Downloads\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\pioh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho12a.dll (file missing)
O2 - BHO: (no name) - {AD7A6DDE-45DF-4978-9378-AD2177AF0A15} - C:\WINDOWS\System32\pioh.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\80000010"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRA~1\GO!ZILLA\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7893.5588657407
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{655726DA-5DD9-4A42-BE93-67CBD863A11E}: NameServer = 195.40.1.36 193.131.248.36

Thanks for any help anybody can offer.

#2 icarus0

icarus0

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 May 2004 - 07:56 AM

Hi

After reading some posts where other people have had a similar problem, I downloaded and ran Find-All. This is the log:

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sat May 29 13:51:58 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (2264:1BE6) - FS:FAT clusters:32k
Total: 40 006 156 288 [37G] - Free: 19 289 866 240 [18G]


»»IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2600.0 shp 91,136 08-23-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4477 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4477 shp 520,192 08-23-2001 wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1120 shp 4,639 08-23-2001 mplayer2.exe

»»M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3805.0 shp 945,936 02-18-2002 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
1:51pm up 0 days, 0:22

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
528 SMSS.EXE
584 CSRSS.EXE Title:
612 WINLOGON.EXE Title: NetDDE Agent
656 SERVICES.EXE Svcs: Eventlog,PlugPlay
668 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
828 SVCHOST.EXE Svcs: RpcSs
852 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasM
n,Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermSer
ice,Themes,T
980 SVCHOST.EXE Svcs: Dnscache
1032 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1120 SPOOLSV.EXE Svcs: Spooler
1212 ALG.EXE Svcs: ALG
1240 AVGSERV.EXE Svcs: AvgServ
1256 BTWDINS.EXE Svcs: btwdins
1324 NVSVC32.EXE Svcs: NVSvc
1380 SVCHOST.EXE Svcs: stisvc
1956 EXPLORER.EXE Title: Program Manager
144 SOUNDMAN.EXE Title: Avance Sound Effect Control Panel
188 Amoumain.exe Title:
196 Directcd.exe Title: DirectCD
236 ICONFIG.EXE Title: SfxIconfigWindow
248 AVGCC32.EXE Title:
252 MSMSGS.EXE Title: MSNMSGRPassportLogin
356 BTTray.exe Title: BTTrayMainWindow
424 DnloadMage.exe Title: Download Mage
2068 IEXPLORE.EXE Title: SWI Forums -> Replying in Homepage help - Microsoft Internet Explorer
2672 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2708 ntvdm.exe
2780 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96DA5BEE-4ACC-476C-B3EC-54C6730C4293}]
@="CSBrBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AD7A6DDE-45DF-4978-9378-AD2177AF0A15}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{A3A237D2-E0F2-4E1C-939B-410A324263AD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A3A237D2-E0F2-4E1C-939B-410A324263AD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Group/user settings:


User: [GARETH\Andrew Howlett], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group GARETH\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Sat May 29 13:52:08 2004 -- ++Find-All backups created:
A C:\DOWNLO~1\DOWNLO~1\Find-All\winBackup.hiv
A C:\DOWNLO~1\DOWNLO~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



What next?

Can anybody offer some advice?

Thanks,
Andy

#3 icarus0

icarus0

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 May 2004 - 12:15 PM

Bump

Anybody able to offer any advice on this?

Thanks,
Andy

#4 icarus0

icarus0

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 01:42 PM

*bump*

Anyone?

Thanks,
Andy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button