1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

default homepage been hacked

Discussion in 'Virus & Other Malware Removal' started by geochau, Oct 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    hi everyone i am new here , i got the same old problem many ppls
    had ... default homepage been hacked !!!

    everytime when i restart my pc that homepage( not i want)
    become my homepage ...... again

    i tried many spy check program already , but all hopeless :(

    so i DL the hackthis program ppls here recommand
    and here is my logfile

    someone pls help me :( ~~~


    Logfile of HijackThis v1.97.3
    Scan saved at 0:38:21, on 2003-10-20
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\ICQ\Icq.exe
    C:\Documents and Settings\KoKo Sun\Desktop\hijackthis\HijackThis.exe

    R3 - URLSearchHook: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: restart_vs.lnk = E:\Viewsonic.exe
    O4 - Startup: ÌÚѶQQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØ - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet\jc_all.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O11 - Options group: [!IESearch] !IESearch
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37820.9638078704
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72314CF6-A446-42AC-9A01-39034CA71DC1}: NameServer = 202.37.101.1 202.37.101.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3625E4-D1D8-4179-84F8-DD3F432BB864}: NameServer = 192.168.1.1
     
  2. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    geochau HI :)

    I suggest that you first run on online virus scan, you have at least one virus active .

    Here are some reliable scanners:
    Personally I prefer Panda, but nothing wrong with running all three :

    Symantec/Norton
    http://security.symantec.com/default.asp?l...FCSGFZVDTPSOERZ

    Panda ActiveScan http://www.pandasoftware.com/activescan/

    Trend Micro HouseCall http://housecall.trendmicro.com/


    Also download
    AdAware6 181 and run a scan. Check for update of the reference file before first scan, the current is 01R226 19.10.2003
    This tool will help you clean out the malwares you have with a minimum of effort.
    Settings in AdAware6:
    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, copy your log-file and post it here and let´s have a look at it.

    When you have done this, please post another HiJack This-log.

    Finally.........

    I also strongly suggest that you install an Antivirus program. One of the best is AVG and it´s free, get it here : http://www.grisoft.com


    Die Hard :)
     
  3. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    hi die hard
    thx for ur information
    here is the ad-ware6 log file

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :2003Äê10ÔÂ20ÈÕ 10:46:03
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R225 13.10.2003
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    2003-10-20 10:46:03 - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 2003-10-19 20:32:24
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 2003-10-19 20:32:25
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-10-19 20:32:25
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-6-28 14:52:34
    Last accessed : 2003-10-19 21:37:25
    Last modified : 2002-6-28 14:52:34

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-10-19 20:32:25
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-8-28 15:41:26
    Last accessed : 2003-10-19 21:37:12
    Last modified : 2002-8-28 15:41:26

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-10-19 20:32:26
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-6-28 14:52:42
    Last accessed : 2003-10-19 21:37:27
    Last modified : 2002-6-28 14:52:42

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-10-19 20:32:27
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-6-28 14:52:42
    Last accessed : 2003-10-19 21:37:27
    Last modified : 2002-6-28 14:52:42

    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 2003-10-19 20:32:28
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-8-28 15:41:24
    Last accessed : 2003-10-19 21:21:59
    Last modified : 2002-8-28 15:41:24

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 2003-10-19 20:32:28
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-6-28 14:52:40
    Last accessed : 2003-10-19 21:37:26
    Last modified : 2002-6-28 14:52:40

    #:9 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-10-19 20:32:28
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 6.13.10.4114
    ProductVersion : 6.13.10.4114
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 41.14
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 41.14
    Created on : 2003-6-21 13:55:30
    Last accessed : 2003-10-19 21:37:19
    Last modified : 2003-1-10 10:04:00

    #:10 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-10-19 20:32:28
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-6-28 14:52:42
    Last accessed : 2003-10-19 21:37:27
    Last modified : 2002-6-28 14:52:42

    #:11 [sstray.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-10-19 20:32:29
    BasePriority : Normal
    FileSize : 72 KB
    FileVersion : 1.00.00.0317
    ProductVersion : 1.00.00.0317
    Copyright : Copyright 2000-2002 NVIDIA Corporation
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA nForce Taskbar Utility
    InternalName : SSTray.exe
    ProductName : NVIDIA nForce
    Created on : 2003-6-21 13:51:12
    Last accessed : 2003-10-19 21:37:27
    Last modified : 2002-12-5 0:23:26

    #:12 [realsched.exe]
    FilePath : C:\Program Files\Common Files\Real\Update_OB\
    ThreadCreationTime : 2003-10-19 20:32:29
    BasePriority : Normal
    FileSize : 148 KB
    FileVersion : 0.1.0.1622
    ProductVersion : 0.1.0.1622
    Copyright : Copyright ? RealNetworks, Inc. 1995-2002
    CompanyName : RealNetworks, Inc.
    FileDescription : RealNetworks Scheduler
    InternalName : schedapp
    OriginalFilename : realsched.exe
    ProductName : RealOne Player (32-bit)
    Created on : 2003-8-27 11:57:18
    Last accessed : 2003-10-19 21:39:06
    Last modified : 2003-8-27 11:57:18

    #:13 [vm_sti.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 2003-10-19 20:32:29
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 4.2.610.4
    Copyright : VM., 2002.
    CompanyName : VM.
    FileDescription : Still Image (STI) Driver
    OriginalFilename : VM_STI.EXE
    Created on : 2003-9-5 4:05:57
    Last accessed : 2003-10-19 21:37:36
    Last modified : 2002-8-22 3:51:52

    #:14 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 2003-10-19 20:32:30
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft? Windows? Operating System
    Created on : 2002-8-28 15:41:22
    Last accessed : 2003-10-19 21:36:32
    Last modified : 2002-8-28 15:41:22

    #:15 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 2003-10-19 20:57:40
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft? Windows? Operating System
    Created on : 2003-6-21 12:41:27
    Last accessed : 2003-10-19 21:31:52
    Last modified : 2002-8-28 15:41:26

    #:16 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 2003-10-19 21:31:52
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    Copyright : ? Microsoft Corporation. All rights reserved.
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft? Windows? Operating System
    Created on : 2003-6-21 12:41:27
    Last accessed : 2003-10-19 21:31:52
    Last modified : 2002-8-28 15:41:26

    #:17 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 2003-10-19 21:42:27
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright ? Lavasoft Sweden
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 2003-10-19 21:16:52
    Last accessed : 2003-10-19 21:38:34
    Last modified : 2003-7-12 9:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    BDSearch Plugin Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    Value : {BC207F7D-3E63-4ACA-99B5-FB5F8428200C}


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : koko [email protected][1].txt
    Object : C:\Documents and Settings\KoKo Sun\Cookies\
    FileSize : 3 KB
    Created on : 2003-9-6 6:15:47
    Last accessed : 2003-10-19 21:22:11
    Last modified : 2003-9-6 6:15:47



    Tracking Cookie Object recognized!
    Type : File
    Data : koko [email protected][1].txt
    Object : C:\Documents and Settings\KoKo Sun\Cookies\

    Created on : 2003-10-19 12:15:19
    Last accessed : 2003-10-19 21:22:11
    Last modified : 2003-10-19 12:15:19



    Tracking Cookie Object recognized!
    Type : File
    Data : koko [email protected][1].txt
    Object : C:\Documents and Settings\KoKo Sun\Cookies\

    Created on : 2003-10-19 10:03:50
    Last accessed : 2003-10-19 21:22:12
    Last modified : 2003-10-19 10:03:50



    Timesink Object recognized!
    Type : File
    Data : tsuninstaller.exe
    Object : C:\Program Files\eGames\3D Maze Man Demo\
    FileSize : 74 KB
    Created on : 2003-7-24 2:11:28
    Last accessed : 2003-10-19 21:23:41
    Last modified : 1999-1-21 20:27:52



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 5


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    901 entries scanned.
    New objects :0
    Objects found so far: 5




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 5


    10:47:56 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:52:937
    Objects scanned :91214
    Objects identified :5
    Objects ignored :0
    New objects :5





    here is the HT

    Logfile of HijackThis v1.97.3
    Scan saved at 10:52:45, on 2003-10-20
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\KoKo Sun\Desktop\hijackthis\HijackThis.exe

    R3 - URLSearchHook: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs
    O4 - Startup: restart_vs.lnk = E:\Viewsonic.exe
    O4 - Startup: ÌÚѶQQ.lnk = C:\Program Files\Tencent\qq\QQ.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØ - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet\jc_all.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O11 - Options group: [!IESearch] !IESearch
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37820.9638078704
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72314CF6-A446-42AC-9A01-39034CA71DC1}: NameServer = 202.37.101.1 202.37.101.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3625E4-D1D8-4179-84F8-DD3F432BB864}: NameServer = 192.168.1.1


    i use the panda virus check already , it said no virus in my PC ..

    thx
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    all these are 99% sure to be viral

    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs

    un an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
     
  5. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    hi dvk01 thx

    so wat i can do for that ??

    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs


    is this my webcam program or something like that ???
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
     
  6. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    someone help me pls :( ~~
     
  7. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    geochau :)

    Close all open windows,run HJT and put a checkmark to the left of those items, then click "fix".

    R3 - URLSearchHook: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O2 - BHO: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab


    Then reboot.
    After reboot, search and find VM_STI.EXE and check if it belongs to your webcam .Then leave it. Regarding internat.exe , could you please find it and look what it looks like. If it has a questionmark as icon and has a length of 20Kb it´s a legit file,then leave it. In other case it´s a trojan ,then remove it and empty your dustbin.

    Also see if you can find WINSYS.cer and WINSYS.vbs. We would very much like to have them submitted for investigation.
    If you find them ,please submit them HERE

    Die Hard :)
     
  8. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    If I'm not mistaken WINSYS.cer and WINSYS.vbs are most likely part of or a viriation of WINSYS.exe which is a key stroke logger.

    Do a search for WINSYS.exe and note where it is.
    There are two or more files that use the name WINSYS.exe .
    One is a key logger and the other is a virus. Either way, not good!!
     
  9. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    thx so much for u guys~~

    i already do the FIX in hackthis for the following...

    R3 - URLSearchHook: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O2 - BHO: (no name) - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V2
    O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
    O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab

    but i cant find internat.exe WINSYS.cer WINSYS.vbs from search
    i can see them in regedit ... data.. there..

    so wat i can do ??
     
  10. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    geochau :)

    The path is:

    C:\$NtUninstallQ887678$\

    This would be hidden, a search would not reveal it unless you click arrow beside "More Advanced Options" (this is when you have clicked to search for "All Files and Folders") and then tick the box thats says "Search hidden files and folders".

    Or you could open "C:\>Tools>FileOptions>Display(second tab from the left) and tick in the circle "Show hidden files and folders" then "Apply" .
    Does this folder show? And what does it contain?

    Die Hard :)
     
  11. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    hi

    i still cant find that , but after do the fix in hackthis everything
    ok ... no problem and my pc restart faster than before :p

    thank alot Diehard and others
    :)
     
  12. Die Hard

    Die Hard

    Joined:
    Apr 5, 2003
    Messages:
    267
    geochau :)

    You´re welcome (y)

    Die Hard
     
  13. geochau

    geochau Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    27
    hello die hard can u help me again??
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - default homepage been
  1. PacerFan1
    Replies:
    4
    Views:
    438
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173056

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice