Hijacked home page

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mutley

Thread Starter
Joined
Apr 18, 2004
Messages
5
Hi guys,

I see from a lot of posts on here that a lot of people are having the same problem. so i have run HJT,the results are listed below for you to look at and advise me accordingly.

Thanks for your help

Paul

Logfile of HijackThis v1.97.7
Scan saved at 15:40:53, on 18/04/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.clairesnightclub.co.uk/
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\TEMP\PIC1324(1)(1)(1)(1)(2)(2)(3).exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
O4 - HKCU\..\Run: [5-1-26-81] c:\windows\5-1-26-81.exe -m
O4 - HKCU\..\Run: [5-1-25-110] c:\windows\5-1-25-110.exe -m
O4 - HKCU\..\Run: [5-11-1-67] c:\windows\5-11-1-67.exe -m
O4 - HKCU\..\Run: [OPQFile] C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\radBCC3C.tmp
O4 - HKCU\..\Run: [5-2-170-97] c:\program files\Webdialer\5-2-170-97.exe -m
O4 - HKCU\..\Run: [od-padr32] c:\program files\OnlineDialer\od-padr32.exe -m
O4 - HKCU\..\Run: [SPYNUKER] C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\SPYNUKER.exe /STARTUP
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd112\24758553.EXE -remove
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058695uk.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b5efcdec88249c1000/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = agate.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1
 
Joined
Oct 9, 2001
Messages
9,396
Hi......you need to remove Kazaa,thats the source of your problems.
And SpywareNuker is also very bad and does nothing but INSTALL spy/adware.

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/a...com/search?p=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
O4 - HKCU\..\Run: [5-1-26-81] c:\windows\5-1-26-81.exe -m
O4 - HKCU\..\Run: [5-1-25-110] c:\windows\5-1-25-110.exe -m
O4 - HKCU\..\Run: [5-11-1-67] c:\windows\5-11-1-67.exe -m
O4 - HKCU\..\Run: [OPQFile] C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\radBCC3C.tmp
O4 - HKCU\..\Run: [5-2-170-97] c:\program files\Webdialer\5-2-170-97.exe -m
O4 - HKCU\..\Run: [od-padr32] c:\program files\OnlineDialer\od-padr32.exe -m
O4 - HKCU\..\Run: [SPYNUKER] C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\SPYNUKER.exe /STARTUP
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd112\24758553.EXE -remove
O13 - WWW. Prefix: http://
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058695uk.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b5efc...ip/RdxIE601.cab


Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Locate and delete:
c:\program files\Webdialer
c:\program files\OnlineDialer
C:\PROGRAM FILES\TREK BLUE
c:\program files\HaldexLtd
C:\WINDOWS\SYSTEM\radBCC3C.tmp


Post another log after.
;)
 

mutley

Thread Starter
Joined
Apr 18, 2004
Messages
5
Hi $teve

Thanks for your reply, i have now done all that you suggested and below is the re-run of the test for you to check :)

Logfile of HijackThis v1.97.7
Scan saved at 17:32:16, on 18/04/04
Platform: Windows 95 a (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.clairesnightclub.co.uk/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\TEMP\PIC1324(1)(1)(1)(1)(2)(2)(3).exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = agate.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top