Jump to content


Photo

been hijacked


  • Please log in to reply
9 replies to this topic

#1 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 04:27 AM

my browser was hijacked by MySearch...
i scanned with Spybot (which found nothing) and with AdAware (which found 151 items, quarantained) and with CWShredder (found 1 item, restored)...
i don't understand how my computer got infected in first place, since i have SpywareBlaster running... :huh:
now here's my HJT log... anything i should delete? :techsupport:

Logfile of HijackThis v1.97.7
Scan saved at 10:22:04, on 1-6-04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PROC MEMO BONE\SETUPSLOW.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SEMAGIC\LIVEJOURNAL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ReConnect] C:\WINDOWS\SYSTEM\ReConnect.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CompJunk] C:\PROGRA~1\proc memo bone\SetupSlow.exe
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macr.../swdir8d204.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

thanks!

Edited by Guest1987, 01 June 2004 - 11:03 AM.


#2 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 05:47 AM

*kick*

#3 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 06:09 AM

BTW, just thought i'd mention it, my AdAware and SpyBot logs were clean yesterday. when the computer was turned on this morning, the Homepage was changed to MySearch...

#4 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 06:33 AM

help please!!!! :alarm: :ph34r:

#5 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 01 June 2004 - 06:43 AM

Hi, could you tell me what these two programs are? Are they something you have installed?

O4 - HKLM\..\Run: [ReConnect] C:\WINDOWS\SYSTEM\ReConnect.exe

O4 - HKLM\..\Run: [CompJunk] C:\PROGRA~1\proc memo bone\SetupSlow.exe


You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Then run hijackthis again, make sure all browsers and windows are closed except for hijackthis, put a check against the following and click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

O13 - WWW. Prefix: http://

Then reboot and post a fresh hijack log and let me know if things are any better.

#6 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 10:15 AM

well, i removed those entries from my HJT log, and even ran SpyBot and AdAware to remove any leftovers, but it keeps returning... my homepage is once more mywebsearch.com..... :hmmm:
anyway, here's my ne log:

Logfile of HijackThis v1.97.7
Scan saved at 17:12:25, on 1-6-04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PROC MEMO BONE\SETUPSLOW.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ReConnect] C:\WINDOWS\SYSTEM\ReConnect.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CompJunk] C:\PROGRA~1\proc memo bone\SetupSlow.exe
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macr.../swdir8d204.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.3209953704

please get back to me ASAP :wtf:

#7 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 10:16 AM

oh, BTW, about those two programs: i have no idea...

#8 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 10:59 AM

*bump*

#9 Guest1987

Guest1987

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 11:07 AM

*bump*

#10 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 01 June 2004 - 11:49 AM

Hi Guest1987

It's ok you don't need to keep bumping up your thread as I get an email notification when you have replied! I will get back to you when I can. :)

Do you have a start page guard in operation on your PC? If so can you disable it for now.

Can zip and email these two to me at this email address

O4 - HKLM\..\Run: [ReConnect] C:\WINDOWS\SYSTEM\ReConnect.exe

O4 - HKLM\..\Run: [CompJunk] C:\PROGRA~1\proc memo bone\SetupSlow.exe


then rename them for now so ReConnect.exe becomes ReConnect.old and SetupSlow.exe becomes SetupSlow.old.

Then fix this one again using hijackthis, reboot and post a fresh log

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button