Jump to content


Photo

hompage changing


  • Please log in to reply
6 replies to this topic

#1 grumpup

grumpup

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 10:55 AM

basically my elderly parents computer has gotten to the point where I can no longer fix the problems myself. I've got hijackthis downloaded and also cwshredder. I have spyhunter and also norton.

The problem is the home page keeps changing, letters when typing don't show up right away and these pop ups are still makeing it past my 2 different popup blockers. Please anyone who knows what they are doing please help.

Thanks GUMPUP

Logfile of HijackThis v1.97.7
Scan saved at 10:33:32 AM, on 6/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE
C:\WINDOWS\SYSTEM\IEHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\OUCHJBG.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
C:\WINDOWS\SYSTEM\ICMDMOE.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\PROGRAM FILES\GRID 01\SOFTWARE FOR KEEP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: link program eq - {361C3A39-9158-BB39-766E-4106A8DF1A3A} - C:\PROGRAM FILES\SETUP INTRA BLUE\SOFT MATH.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [ZIY] C:\WINDOWS\TEMP\ZIY.EXE
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
O4 - HKLM\..\Run: [amlkrnd] C:\WINDOWS\SYSTEM\ouchjbg.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoadero2t71IMkXINJ] "C:\WINDOWS\SYSTEM\ICMDMOE.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [GREAT BAGS] C:\PROGRA~1\GRID 01\SOFTWARE FOR KEEP.exe
O4 - HKLM\..\Run: [o92h36R] ICMDMOE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [ZytnRWdmg] LFPMP70N.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38020.679375
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49...m::/on-line.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp

#2 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 24 June 2004 - 11:05 AM

Just letting you know that you haven't been ignored, I am working on your problem.

#3 grumpup

grumpup

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 11:14 AM

Thanks for the update Gravy.

GRUMPUP

#4 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 24 June 2004 - 10:00 PM

Hello Grumpup, and welcome to the forums.

Download this: http://www.downloads...VX2Finder9x.exe and run it

1-Click "Click To find Find VX2.Abetterinternet"

2-Delete all files found
You will get a message about "cannot delete this one" matching the same name in the Guardian Key.

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...
DE-select (uncheck) the lower box with "inheritable permissions"
Hit 'ok' and 'remove' on the following security prompts.

Restart computer.

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

8-Use Find again should produce a clean log of blank values.

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

Download LSP Fix from the following location:
http://www.cexx.org/LSPFix.exe
Open LSP Fix and check the "I know what I'm doing" box. Move all copies of inetadpt.dll to the "Remove" column. Then click "Finish" and exit LSP Fix.

Now press Ctrl+Alt+Delete and end the following processes (some may not be there):

C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE

C:\WINDOWS\SYSTEM\IEHOST.EXE

C:\PROGRAM FILES\EZULA\MMOD.EXE

C:\PROGRAM FILES\GRID 01\SOFTWARE FOR KEEP.EXE

C:\WINDOWS\SYSTEM\OUCHJBG.EXE

C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE

C:\WINDOWS\SYSTEM\ICMDMOE.EXE

Important: Create a folder such as C:\HJT and move Hijack This there. When you run Hijack This from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. The backups will be harder to clean out later if it is left in it's present location.

Next, open Hijack This and check the following boxes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: link program eq - {361C3A39-9158-BB39-766E-4106A8DF1A3A} - C:\PROGRAM FILES\SETUP INTRA BLUE\SOFT MATH.DLL

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - HKLM\..\Run: [ZIY] C:\WINDOWS\TEMP\ZIY.EXE

O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe

O4 - HKLM\..\Run: [amlkrnd] C:\WINDOWS\SYSTEM\ouchjbg.exe

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [AutoLoadero2t71IMkXINJ] "C:\WINDOWS\SYSTEM\ICMDMOE.EXE" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [GREAT BAGS] C:\PROGRA~1\GRID 01\SOFTWARE FOR KEEP.exe

O4 - HKLM\..\Run: [o92h36R] ICMDMOE.EXE

O4 - HKCU\..\Run: [ZytnRWdmg] LFPMP70N.EXE

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49...m::/on-line.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab

O19 - User stylesheet: C:\WINDOWS\win32.bmp

Now hit "Fix checked" and close Hijack This.

Reboot your computer into safe mode. Instructions on how to do that are available here:
http://service1.syma...src=sec_doc_nam

Uninstall the following programs via Add/Remove programs under control panel:
Spyhunter
Kazaa

Why uninstall Spy Hunter? It is not a legitimate Anti-Spyware program. It is known to tell users that they have spyware that is not actually there to get you to pay for it, and then do almost nothing to deal with actual spyware.

Why uninstall Kazaa? It is a spyware-laden application and there are plenty of safer file-sharing applications. A list is available here:
http://www.spywarein...m/articles/p2p/

Now delete the following files/folders. You may need to show hidden files/folders to do that. Instructions on how to show hidden files/folders are available here:
http://www.xtra.co.n...1916458,00.html

Delete the following files/folders (some may already be gone):

C:\PROGRA~1\ezula\ <- this folder
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ <- this folder
C:\PROGRAM FILES\GRID 01\ <- this folder
C:\WINDOWS\SYSTEM\OUCHJBG.EXE <- this file
C:\WINDOWS\SYSTEM\IEHOST.EXE <- this file
C:\PROGRAM FILES\COMMON FILES\DPI\ <- this folder
C:\PROGRAM FILES\COMMON FILES\UPDMGR\ <- this folder
C:\WINDOWS\SYSTEM\ICMDMOE.EXE <- this file
C:\WINDOWS\win32.exe <- this file
C:\WINDOWS\TEMP\ZIY.EXE <- this file
C:\WINDOWS\ALCHEM.exe <- this file
C:\PROGRA~1\GRID 01\ <- this folder

Search for and delete the following if found:

LFPMP70N.EXE

Reboot your PC and post a new Hijack This log.

Edited by gravylover5, 25 June 2004 - 07:33 PM.


#5 grumpup

grumpup

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 08:11 PM

Gravy-

Thanks for the reply. I won't be able to work on their computer till the 4th of July weeken when I'm back at their place. Just add another reply so I know you'll take a look at it after that. Thanks Again

GRUM

#6 grumpup

grumpup

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 08:19 PM

Gravy-

I got to step #2 before I ran into this problem: I can find nothing about "Open regedit" (your steps are bleow.) Where is that located?, it's not with the VX2Finder window

Thanks GRUM



3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...
DE-select (uncheck) the lower box with "inheritable permissions"
Hit 'ok' and 'remove' on the following security prompts.

Restart computer.

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

8-Use Find again should produce a clean log of blank values.

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)

#7 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 06 July 2004 - 04:06 PM

My apologies, Grumpup, for the incorrect instructions. I hope it didn't cause too much frustration. Use these instructions for VX2Finder instead of the ones I supplied earlier. Then follow the instructions that I gave for the steps after VX2Finder.

http://www.downloads...VX2Finder9x.exe

for windows 98 & Me versions..

For Win9x, it doesn't even require a reboot, just find files(verify they are not legitimate Windows files)

-Select files and delete them all (Rundll32 & Explorer will end process leaving blank desktop)

-User Agent$ Removes the User Agent String in Registry

-Look2Me.reg Fixes the Double Quicklaunch toolbar.

Also, your version of Hijack This is outdated. Please download version 1.98.0, available here:

http://downloads.sub.../hijackthis.zip




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button