1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked home page

Discussion in 'Virus & Other Malware Removal' started by mutley, Apr 18, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mutley

    mutley Thread Starter

    Joined:
    Apr 18, 2004
    Messages:
    5
    Hi guys,

    I see from a lot of posts on here that a lot of people are having the same problem. so i have run HJT,the results are listed below for you to look at and advise me accordingly.

    Thanks for your help

    Paul

    Logfile of HijackThis v1.97.7
    Scan saved at 15:40:53, on 18/04/04
    Platform: Windows 95 a (Win9x 4.00.1111)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.clairesnightclub.co.uk/
    O1 - Hosts: 66.250.171.136 auto.search.msn.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\TEMP\PIC1324(1)(1)(1)(1)(2)(2)(3).exe
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
    O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
    O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
    O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
    O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
    O4 - HKCU\..\Run: [5-1-26-81] c:\windows\5-1-26-81.exe -m
    O4 - HKCU\..\Run: [5-1-25-110] c:\windows\5-1-25-110.exe -m
    O4 - HKCU\..\Run: [5-11-1-67] c:\windows\5-11-1-67.exe -m
    O4 - HKCU\..\Run: [OPQFile] C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\radBCC3C.tmp
    O4 - HKCU\..\Run: [5-2-170-97] c:\program files\Webdialer\5-2-170-97.exe -m
    O4 - HKCU\..\Run: [od-padr32] c:\program files\OnlineDialer\od-padr32.exe -m
    O4 - HKCU\..\Run: [SPYNUKER] C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\SPYNUKER.exe /STARTUP
    O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd112\24758553.EXE -remove
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058695uk.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b5efcdec88249c1000/netzip/RdxIE601.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = agate.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi......you need to remove Kazaa,thats the source of your problems.
    And SpywareNuker is also very bad and does nothing but INSTALL spy/adware.

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windowsincluding this one and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/a...com/search?p=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 66.250.171.136 auto.search.msn.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKCU\..\Run: [5-1-25-55] c:\windows\5-1-25-55.exe -m
    O4 - HKCU\..\Run: [5-11-1-44] c:\windows\5-11-1-44.exe -m
    O4 - HKCU\..\Run: [5-11-1-20] c:\windows\5-11-1-20.exe -m
    O4 - HKCU\..\Run: [5-1-26-2] c:\windows\5-1-26-2.exe -m
    O4 - HKCU\..\Run: [5-1-26-82] c:\windows\5-1-26-82.exe -m
    O4 - HKCU\..\Run: [5-1-26-81] c:\windows\5-1-26-81.exe -m
    O4 - HKCU\..\Run: [5-1-25-110] c:\windows\5-1-25-110.exe -m
    O4 - HKCU\..\Run: [5-11-1-67] c:\windows\5-11-1-67.exe -m
    O4 - HKCU\..\Run: [OPQFile] C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\radBCC3C.tmp
    O4 - HKCU\..\Run: [5-2-170-97] c:\program files\Webdialer\5-2-170-97.exe -m
    O4 - HKCU\..\Run: [od-padr32] c:\program files\OnlineDialer\od-padr32.exe -m
    O4 - HKCU\..\Run: [SPYNUKER] C:\PROGRAM FILES\TREK BLUE\SPYWARE NUKER\SPYNUKER.exe /STARTUP
    O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd112\24758553.EXE -remove
    O13 - WWW. Prefix: http://
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058695uk.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b5efc...ip/RdxIE601.cab


    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Locate and delete:
    c:\program files\Webdialer
    c:\program files\OnlineDialer
    C:\PROGRAM FILES\TREK BLUE
    c:\program files\HaldexLtd
    C:\WINDOWS\SYSTEM\radBCC3C.tmp


    Post another log after.
    ;)
     
  3. mutley

    mutley Thread Starter

    Joined:
    Apr 18, 2004
    Messages:
    5
    Hi $teve

    Thanks for your reply, i have now done all that you suggested and below is the re-run of the test for you to check :)

    Logfile of HijackThis v1.97.7
    Scan saved at 17:32:16, on 18/04/04
    Platform: Windows 95 a (Win9x 4.00.1111)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\PILOT MOUSE\4DMAIN.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.clairesnightclub.co.uk/
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\TEMP\PIC1324(1)(1)(1)(1)(2)(2)(3).exe
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = agate.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Clean log(y)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Hijacked home page
  1. ated19
    Replies:
    4
    Views:
    565
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221553

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice