Jump to content


Photo

Someone please help! I don't know what else to do!


  • Please log in to reply
18 replies to this topic

#1 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 May 2004 - 11:26 PM

First of all, I wanted to say that I used (still perhaps) to have Spybot, and Hijackthis to take care of my internet browser and several times got messed and worked perfectly, but now, there's a bigger mess...it started four days ago, when my girlfriend installed something, which I don't even know what she did, when searching the net, which ended up in my homepage being hijacked and I have not been able to take it back...

so, what's wrong?

First of all, every single time I open IE browser it directs me to this website: http://digdpj.outhost.info/....to delete it, i have tried the basics 1) changing the homepage address in the Internet options, but that doesn't work, it comes back. 2) I have tried to find both Spybot and Hijackthis on my computer, but somehow, they have dissapeared from my computer, and they are no where to be found and what's more weird, when I tried to go to the websites to download them again, it won't do it. For instance, when I would tried to download Hijackthis from the website, it would start the download and when I would save on a folder, it would not finish the download, an error always comes up, saying "Cannot copy file: cannot read from the source file or disk" repeteadly, and this only happens with both spybot and hijackthis. I tried downloading it from Kazaa Lite, it would download it but when I would look for the file, it's gone!-- (Every other kind of download works)--Is no where to be found. So, in conclusion, I cannot download hijackthis or spybot, both programs that I had before this browser takeover.

Since I don't have hijackthis, I cannot post my log, and I can't do anything. I don't know what to do anymore... Your help will be greatly appreciated.

#2 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 01:20 AM

bump

#3 neinta

neinta

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 18 May 2004 - 03:11 AM

I don't know where your programs went but I do know a fix (may not be THE fix) for hijacked homepage.

Open regedit --> HKEY_CURRENT_USER -->Software --> Microsoft --> Internet Explorer --> Main --> then scroll down to start page in the main window --> double click it and then change the entry to your homepage (ie. http://www.yahoo.com)

Try downloading ad-aware. It'd be a good start.

#4 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 12:37 PM

I have Ad-aware and it tells me the following:

Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhost.info/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://vjftez.outhost.info/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhost.info/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "http://vjftez.outhost.info/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistant.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhos...st.info/sp.php"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://vjftez.outhos...st.info/sp.php"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearch.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhos...st.info/sp.php"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://vjftez.outhos...st.info/sp.php"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhost.info/"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://vjftez.outhost.info/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhost.info/"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "http://vjftez.outhost.info/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearch.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://vjftez.outhos...st.info/sp.php"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://vjftez.outhos...st.info/sp.php"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Page.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://dofzvu.outhost.info/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://dofzvu.outhost.info/"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainDefault_Page_URL.outhost.info

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://dofzvu.outhost.info/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "http://dofzvu.outhost.info/"


But it does not remove anything...I also tried your suggestion of the registry but as soon as i change it, the hijack homepage comes back to the attack. How can I stop it from closing certain websites, such as hijackthis or from hiding my programs? I'm going crazy, I don't know what to do with this shit anymore. Nothing works, is there really a solution to this or not?

please help me.

thanks

#5 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 12:47 PM

Running Processes.


Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-18-2004 8:50:04 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:06 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:06 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2002 10:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:06 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2002 10:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:06 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2002 10:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-18-2004 8:50:06 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2002 10:00:00 AM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-18-2004 8:50:08 AM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 5:12:10 AM
Last accessed : 5/18/2004 6:43:03 PM
Last modified : 5/12/2003 5:12:10 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:08 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2002 10:00:00 AM

#:9 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-18-2004 8:50:09 AM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.25 08/27/2003 20:04:35
ProductVersion : 3.5.25 08/27/2003 20:04:35
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 8/29/2003 12:59:24 PM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/29/2003 12:59:24 PM

#:10 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-18-2004 8:50:09 AM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 8/14/2002 11:22:52 PM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 8/14/2002 11:22:52 PM

#:11 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 156 KB
FileVersion : 4, 4, 0, 35
ProductVersion : 4, 4, 0, 20
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee ActiveShield
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan Online
Created on : 10/2/2003 2:25:50 AM
Last accessed : 5/18/2004 6:04:56 PM
Last modified : 3/21/2003 7:52:12 PM

#:12 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 8.00.0101
ProductVersion : 8.00.0101
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 9/24/2003 11:24:03 PM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 6/27/2003 12:04:18 AM

#:13 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 9/24/2003 11:26:00 PM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 9/24/2003 11:26:00 PM

#:14 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5
ProductVersion : QuickTime 6.5
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 10/3/2003 6:07:38 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 1/22/2004 12:38:37 AM

#:15 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1, 0, 0, 43
ProductVersion : 1, 0, 0, 43
Copyright : Copyright
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
OriginalFilename : ViewMgr.exe
ProductName : Viewpoint Manager
Created on : 5/10/2004 9:34:12 AM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 4/19/2004 4:06:56 PM

#:16 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 6/24/2003 3:46:30 PM
Last accessed : 5/18/2004 6:33:29 PM
Last modified : 10/8/2003 12:21:10 AM

#:17 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 5-18-2004 8:50:10 AM
BasePriority : Normal
FileSize : 1348 KB
FileVersion : 5.0.1.5
ProductVersion : 5.0.1.5
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
OriginalFilename : MPFTRAY.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 10/2/2003 2:30:33 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 9/2/2003 9:00:00 PM

#:18 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-18-2004 8:50:11 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 10/2/2003 8:58:55 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 6/27/2003 12:04:20 AM

#:19 [create~1.exe]
FilePath : C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\
ThreadCreationTime : 5-18-2004 8:50:12 AM
BasePriority : Normal
FileSize : 128 KB
FileVersion : 5.3.5.10
ProductVersion : 5.3.5.10
Copyright : Copyright © 1999-2003 Roxio, Inc.
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator

#:20 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:50:43 AM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 8/29/2002 10:00:00 AM

#:21 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-18-2004 8:50:43 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 11/3/2003 8:47:08 PM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 11/3/2003 8:47:08 PM

#:22 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 5-18-2004 8:50:43 AM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
Copyright : Copyright
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
OriginalFilename : MpfService.exe
ProductName : McAfee Personal Firewall
Created on : 10/2/2003 2:30:33 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 9/2/2003 9:00:00 PM

#:23 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-18-2004 8:50:43 AM
BasePriority : Normal
FileSize : 68 KB
FileVersion : 6.14.01.4354
ProductVersion : 6.14.01.4354
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 43.54
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 43.54
Created on : 1/1/1980 5:00:00 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 4/24/2003 9:58:00 PM

#:24 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-18-2004 8:50:43 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 5/10/2004 8:39:31 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 10/8/2002 8:00:24 PM

#:25 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-18-2004 8:50:50 AM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 4, 4, 0, 35
ProductVersion : 4, 4, 0, 20
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Online Realtime Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan Online
Created on : 10/2/2003 2:25:50 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 3/21/2003 7:51:52 PM

#:26 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-18-2004 8:50:52 AM
BasePriority : High
FileSize : 220 KB
Created on : 10/2/2003 2:25:47 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 3/13/2002 3:50:34 PM

#:27 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 5-18-2004 8:50:59 AM
BasePriority : Normal
FileSize : 500 KB
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
OriginalFilename : MPFAGENT.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 10/2/2003 2:30:33 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 9/2/2003 9:00:00 PM

#:28 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:58:01 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 8/29/2002 10:00:00 AM

#:29 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-18-2004 8:58:04 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 8/29/2002 10:00:00 AM

#:30 [mcagent.exe]
FilePath : c:\program files\mcafee.com\agent\
ThreadCreationTime : 5-18-2004 6:04:58 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 10
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 10/2/2003 5:21:37 PM
Last accessed : 5/18/2004 6:04:58 PM
Last modified : 8/27/2003 6:00:12 PM

#:31 [regedit.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-18-2004 6:26:46 PM
BasePriority : Normal
FileSize : 131 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Registry Editor
InternalName : REGEDIT
OriginalFilename : REGEDIT.EXE
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:33:30 PM
Last modified : 8/29/2002 10:00:00 AM

#:32 [taskmgr.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-18-2004 6:45:45 PM
BasePriority : High
FileSize : 125 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
OriginalFilename : taskmgr.exe
ProductName : Microsoft
Created on : 8/29/2002 10:00:00 AM
Last accessed : 5/18/2004 6:45:46 PM
Last modified : 8/29/2002 10:00:00 AM

#:33 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-18-2004 6:46:07 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/18/2004 2:13:40 AM
Last accessed : 5/18/2004 6:46:07 PM
Last modified : 7/13/2003 5:00:20 AM

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 May 2004 - 04:39 PM

Hi,
Most likely you have this: Win32.HacDef
http://www3.ca.com/t...s.aspx?ID=38058

Start | Run (type) cmd (click Ok)
From The "Command Prompt" (type)

NET STOP HACKERDEFENDER100 (press Enter)

Note: (that's) NET<space>STOP<space>HACKERDEFENDER100

If successful you should see: (wait 30 sec.)

"The service is not responding to the control function."


See if "winunins.ini" exists and open in Notepad
Paste the contents of "winunins.ini".
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 06:51 PM

Thanks dude...alright here are the contents of the file winunins.ini...now what do I do knowing this? modify this file? i don't know..but thanks for helping

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*
[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINDOWS\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 May 2004 - 07:17 PM

Hi,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
(not "svchost.exe")
trj4j6js.exe
ddd.exe


Open Regedit and click Edit > Find
(enter) "HackerDefenderDrv100" (no quotes)
Click Find Now

Highlight and delete all references found.
Click "F3" to continue searching, repeat until you see the "Completed Search" message.

Next, do the same steps for each of the above files.

Note: If you cannot delete the registry keys (Access Denied) then Right-click key and click Permissions.. Set Full Control to Allow everyone rights

While still in Safe Mode: Run a full system scan with McAfee
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode, repeat the "net stop" command again and then delete the files.

Edited by WinHelp2002, 18 May 2004 - 07:34 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 10:33 PM

Hey, thanks for the help!

But....though there was some good things that worked out, some others didn't quite work.

I was able to erase most of the files you told me, except I could not find hxdefdiv.sys so I couldn't erase it, I tried NET STOP but that didn't work and I also could not find motkrtin.ll, trj4j6j.exe and ddd.exe on my computer, even when I had chosen to display hidden files. Now, on the good side, I was able to find and run both spybot and hijackthis and I could access both now on my computer, along with visiting some websites that I was able to before, I want to show you two log files, one prior to me erasing some of the files and the second, after returning to normal mode with computer making some changes (e.g. my homepage is back to normal. Thanks for helping.



Hijack this log BEFORE going to SAFE MODE and deleting some files.

Logfile of HijackThis v1.97.7
Scan saved at 5:11:24 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Mario Galdamez\Local Settings\Temp\Temporary Directory 22 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vjftez.outhost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vjftez.outhost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vjftez.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vjftez.outhost.info/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vjftez.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vjftez.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vjftez.outhost.info/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mario Galdamez\Application Data\Mozilla\Profiles\default\de1v48d5.slt\prefs.js)
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {C1145550-A454-11D4-9020-00D0B7239081} (AOL Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\system32\mzdlzv.856


HIJACKTHIS LOG AFTER THE CHANGES

Logfile of HijackThis v1.97.7
Scan saved at 8:24:05 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\msiexec.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mario Galdamez\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mario Galdamez\Application Data\Mozilla\Profiles\default\de1v48d5.slt\prefs.js)
O1 - Hosts: 213.159.118.228 collections.inhost.info
O1 - Hosts: 213.159.118.228 collections.inhost2.info
O1 - Hosts: 213.159.118.228 1-se.com
O1 - Hosts: 213.159.118.228 58q.com
O1 - Hosts: 213.159.118.228 aifind.cc
O1 - Hosts: 213.159.118.228 aifind.info
O1 - Hosts: 213.159.118.228 allneedsearch.com
O1 - Hosts: 213.159.118.228 approvedlinks.com
O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.228 awebfind.biz
O1 - Hosts: 213.159.118.228 best.royalsearch.net
O1 - Hosts: 213.159.118.228 cracks.am
O1 - Hosts: 213.159.118.228 default-homepage-network.com
O1 - Hosts: 213.159.118.228 find.microgirls.com
O1 - Hosts: 213.159.118.228 find4u.net
O1 - Hosts: 213.159.118.228 freshvideogals.com
O1 - Hosts: 213.159.118.228 i-lookup.com
O1 - Hosts: 213.159.118.228 ie-search.com
O1 - Hosts: 213.159.118.228 in.webcounter.cc
O1 - Hosts: 213.159.118.228 itseasy.us
O1 - Hosts: 213.159.118.228 just.find-itnow.com
O1 - Hosts: 213.159.118.228 link.startmake.com
O1 - Hosts: 213.159.118.228 mysearchnow.com
O1 - Hosts: 213.159.118.228 nativehardcore.com
O1 - Hosts: 213.159.118.228 qwertysearch123.biz
O1 - Hosts: 213.159.118.228 search.ieplugin.com
O1 - Hosts: 213.159.118.228 search.psn.cn
O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.228 searchcentrix.com
O1 - Hosts: 213.159.118.228 searchmyrequest.com
O1 - Hosts: 213.159.118.228 super-spider.com
O1 - Hosts: 213.159.118.228 t.rack.cc
O1 - Hosts: 213.159.118.228 teen-biz.com
O1 - Hosts: 213.159.118.228 teenhqpics.com
O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.228 webcoolsearch.com
O1 - Hosts: 213.159.118.228 wmmse.com
O1 - Hosts: 213.159.118.228 www.008i.com
O1 - Hosts: 213.159.118.228 www.2fastsearch.net
O1 - Hosts: 213.159.118.228 www.8095.com
O1 - Hosts: 213.159.118.228 www.alfa-search.com
O1 - Hosts: 213.159.118.228 www.boredlife.com
O1 - Hosts: 213.159.118.228 www.couldnotfind.com
O1 - Hosts: 213.159.118.228 www.cracks.am
O1 - Hosts: 213.159.118.228 www.daum.net
O1 - Hosts: 213.159.118.228 www.dreamwiz.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find4u.net
O1 - Hosts: 213.159.118.228 www.firstbookmark.com
O1 - Hosts: 213.159.118.228 www.gajai.com
O1 - Hosts: 213.159.118.228 www.hand-book.com
O1 - Hosts: 213.159.118.228 www.hao123.com
O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
O1 - Hosts: 213.159.118.228 www.hugesearch.net
O1 - Hosts: 213.159.118.228 www.iquicksearch.com
O1 - Hosts: 213.159.118.228 www.lookfor.cc
O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
O1 - Hosts: 213.159.118.228 www.naver.com
O1 - Hosts: 213.159.118.228 www.nkvd.us
O1 - Hosts: 213.159.118.228 www.novafuck.com
O1 - Hosts: 213.159.118.228 www.ohcorea.com
O1 - Hosts: 213.159.118.228 www.omega-search.com
O1 - Hosts: 213.159.118.228 www.onet.pl
O1 - Hosts: 213.159.118.228 www.power-search.info
O1 - Hosts: 213.159.118.228 www.rightfinder.net
O1 - Hosts: 213.159.118.228 www.search-1.net
O1 - Hosts: 213.159.118.228 www.search-and-go.com
O1 - Hosts: 213.159.118.228 www.search-dot.com
O1 - Hosts: 213.159.118.228 www.search-space.com
O1 - Hosts: 213.159.118.228 www.searchforge.com
O1 - Hosts: 213.159.118.228 www.searching-the-net.com
O1 - Hosts: 213.159.118.228 www.searchv.com
O1 - Hosts: 213.159.118.228 www.searchxl.com
O1 - Hosts: 213.159.118.228 www.seznam.cz
O1 - Hosts: 213.159.118.228 www.slotch.com
O1 - Hosts: 213.159.118.228 www.spidersearch.com
O1 - Hosts: 213.159.118.228 www.startium.com
O1 - Hosts: 213.159.118.228 www.therealsearch.com
O1 - Hosts: 213.159.118.228 www.ttjj.com
O1 - Hosts: 213.159.118.228 www.viewpornkey.com
O1 - Hosts: 213.159.118.228 www.wazzupnet.com
O1 - Hosts: 213.159.118.228 www.websearch.com
O1 - Hosts: 213.159.118.228 www.windowws.cc
O1 - Hosts: 213.159.118.228 www.xgmm.com
O1 - Hosts: 213.159.118.228 xwebsearch.biz
O1 - Hosts: 213.159.118.228 yourbookmarks.ws
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {C1145550-A454-11D4-9020-00D0B7239081} (AOL Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2004 - 11:32 PM

bump.

Edited by ucscgaldamez, 19 May 2004 - 12:50 AM.


#11 ucscgaldamez

ucscgaldamez

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2004 - 01:56 AM

please help

#12 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 03:11 AM

Hi,

I also could not find motkrtin.ll, trj4j6j.exe and ddd.exe on my computer

Ok, I was just covering all the bases as those files were mentioned in the "winunins.ini" file.

Close all open windows, except for HijackThis place a check in each
of the following, then click "Fix checked".

O1 - Hosts: [all these entries]
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1


Reboot, flush "System Restore" (see below), update and reconfigure McAfee.

Disabling System Restore
http://vil.nai.com/v...eSysRestore.htm

How To: Scan for unwanted programs
http://vil.nai.com/v...valInstructions

On restart create a new "Restore Point"

Next go to Windows Update and install all the "Critical Updates".
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#13 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 06:19 AM

WinHelp2002: I tried your fix. My computer is now perfect.

I found motkrtin.ll, trj4j6j.exe and ddd.exe in my registry search along with all else. I deleted about 20 items in the registry pertaining to the above.

Many thanks to you guys. You have a great fix put in place.

#14 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 06:40 AM

duke9106,
You're welcome ... glad your have your problem resolved ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#15 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 26 May 2004 - 12:38 AM

Hi,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
(not "svchost.exe")
trj4j6js.exe
ddd.exe


Open Regedit and click Edit > Find
(enter) "HackerDefenderDrv100" (no quotes)
Click Find Now

Highlight and delete all references found.
Click "F3" to continue searching, repeat until you see the "Completed Search" message.

Next, do the same steps for each of the above files.

Note: If you cannot delete the registry keys (Access Denied) then Right-click key and click Permissions.. Set Full Control to Allow everyone rights

While still in Safe Mode: Run a full system scan with McAfee
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode, repeat the "net stop" command again and then delete the files.

hi

i followed all of these steps and it seems as if the trojan is gone!! but, the browser hijacker is still there, it still directs certain web pages to the outhost.info site, well it tries to but it goes to "cannot find page"...please help me fix this thanx.

#16 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 26 May 2004 - 04:55 AM

rickiedee,
Did you start your own "Topic", then post your HijackThis log?
See the "FAQ" above for more info ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#17 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 26 May 2004 - 09:33 AM

yup i just did, sorri...

#18 phapster

phapster

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 12:00 PM

Hi,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
(not "svchost.exe")
trj4j6js.exe
ddd.exe


Open Regedit and click Edit > Find
(enter) "HackerDefenderDrv100" (no quotes)
Click Find Now

Highlight and delete all references found.
Click "F3" to continue searching, repeat until you see the "Completed Search" message.

Next, do the same steps for each of the above files.

Note: If you cannot delete the registry keys (Access Denied) then Right-click key and click Permissions.. Set Full Control to Allow everyone rights

While still in Safe Mode: Run a full system scan with McAfee
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode, repeat the "net stop" command again and then delete the files.

Thank you WinHelp2002!

After five days of battling this monster of nasty bug, your instructions have helped me defeat it!

Seriously...thank you.

#19 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 05 July 2004 - 02:19 PM

phapster,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button