Hijacked webbrowser (yes, me too)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Fisch

Thread Starter
Joined
Jun 24, 2004
Messages
5
Hi, I hope someone can help me.

I have Norton Internet Security 2003, and use As-aware on a regular basis.

Now my browser start page has been changed to: http://topotun.com/index.htm and together with that I get a bunch of unwanted bookmarks to pornsites and a few spyware commercial pop-ups.

I have used Hijack this and get the following log (I use hijack this from a folder in my documents, not on the desktop) :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2B284CB0-9E5E-4627-A4BE-FECBD5BF9F5B} - C:\WINDOWS\System32\necodd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...le.com/saba/se/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I check and delete the first 8 lines.
I also go in via regedit to the places mentioned and delete everything saying "topotun.."
..but nomatter how many times I do that - it always apperar when I open my browser. It seems that I'm only deleting the effects of this "hijacker", not the hijacker itself

can somebody please help me, I'd rather not format the harddrive all over again ?!?

Thanks in advance
//Fisch
 
Joined
Jun 19, 2004
Messages
141
First off I am only and intermediate computer user so i may miss a few things in your H/T log... So a more informed person may help you more at a latter time but i will help you with what i know for now.

Run Hijack This and check these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


Then delete all your cookies and your temporary internet files.
Control Panel<Internet Options<Delete Cookies and Delete Files
MAKE SURE YOU CHECK THE BOX WHEN IT ASKS YOU TO DELETE ALL OFFLINE CONTENT!

Then go to
C:\Documents and Settings\Fisch\Local Settings\Temp

Go to edit<select all then delete the files.

Empty your recycle bin and reboot.


Once you have rebooted download Spybot 1.3here
MAKE SURE YOU CHECK FOR UPDATES!

Scan your computer. Reboot.

Download CWShredder from here

Make sure when you scan you pick FIX not scan only

Scan your computer with ad-aware, make sure you have the latest refrence files and Build 181. When you go to scan click on customize my options. Click on scan within archives and your main HD, usually C:.

Finally Reboot and post another Hijack this log.
 
Joined
Jun 19, 2004
Messages
141
Ok let me know if that fixed ur problem and post another Hijack This log please...
 
Joined
Jun 19, 2004
Messages
141
Also is that your full Hijack This log? I dont see any running proccesses...
 

Fisch

Thread Starter
Joined
Jun 24, 2004
Messages
5
Hi again.

Now I have done what you suggested, and from what I see - things look the same.

Here is my new log after using the mentioned programs:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Documents and Settings\Fisch\My Documents\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: winlgn.exe
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...le.com/saba/se/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Another thing that is anoying with my computer these days (i dont know if it has anything to do with the hijacking) is that when I shutdown or reboot my computer it says that the program "win min" is not responding. Then I have to press the "end now" button. This "not responing"-window shows up 3 times before the computer shuts down. I have searched my computer and havent found any file, program or process that even come close to that name

Looking forward for further help
Thanks in advance
//Fisch

P.s (i use Windows XP and IE 6, if that can help further)
 
Joined
Jun 19, 2004
Messages
141
Ok here is what i found... I overlooked this the other day because the company that designed it named it so closely to winlogon a legitimate program. Ok to start.

Hit Ctrl + alt +del click the process tab and find winlgn.exe and end the process.
MAKE SURE IT IS WINLGN.EXE AND NOT WINLOGON.EXE! AS WINLOGON IS WHAT CONTROLS HOW YOU LOG ONTO YOUR COMPUTER!

Ok after that open my computer, go to tools > folder options click on the view tab,
check the box next to show hidden files and folders, and make sure that both the
Hide extensions for known file types and Hide Protected Operating system files are
unchecked

Ok now find winlgn.exe, from your HJT log it seems to be in your
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
folder.

Delete it, Open up HJT and delete the following, make sure all browser windows are closed before you click check fixed...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fisch\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - Global Startup: winlgn.exe

Once again clear out your temporary internet files, reboot and post another HJT log.

Tell me if that fixed your problem.
 
Joined
Jun 19, 2004
Messages
141
Ok ive also remembered that you can dowload either of these programs, they both are by the same author and are a anti-virus program for spyware so to speak.

Anyway here they are, take your pic of the two.

Spyware blaster

Spyware Guard

Those should help you to prevent from getting spyware in the future, just remember to update and run ad-aware and Spybot about once a week to keep your pc running smooth...

NOTE: free versions of the above mentioned software may have to be manually updated from time to time...
 

Fisch

Thread Starter
Joined
Jun 24, 2004
Messages
5
Hey man, now it works like it should !!

Thanks a million!!

Here is my new log, and everything seems to be fine:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Fisch\My Documents\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...le.com/saba/se/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Again, thank you so very very much!!

Best regards
/Wilhem "Fisch" Fischerström
 

Fisch

Thread Starter
Joined
Jun 24, 2004
Messages
5
Hello again,

Can you help me with a similar problem.
My dads computer has got a hijacked webbrowser.

Here is his hijack log:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM\VANLIGA FILER\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\APVXDWIN.EXE
C:\SAGA\SUPER POPUP BLOCKER\POPKILL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM\LAVASOFT AD-AWARE\AD-WATCH.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\PALM\HOTSYNC.EXE
C:\PROGRAM\NATIONALENCYKLOPEDIN\NE_SOKVERKTYG_20\NEHOTKEY.EXE
C:\PROGRAM\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\PAVPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\PANDA SOFTWARE\PANDA ANTIVIRUS TITANIUM\AVLTMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SKRIVBORD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\PROGRAM\PANDAS~1\PANDAA~1\hpfsched.bat;C:\PROGRAM\PANDAS~1\PANDAA~1\hpfsched.exe;C:\PROGRAM\PANDAS~1\PANDAA~1\hpfsched.com;C:\PROGRAM\PANDAS~1\PANDAA~1\hpfsched.scr;C:\PROGRAM\PANDAS~1\PANDAA~1\hpfsched.vbs;C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.
O2 - BHO: HTML Source Editor - {85810C93-C14C-11D5-BC4B-0050BA28E4FE} - C:\WINDOWS\SYSTEM\POPKILL.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {228EE981-C85B-11D8-B742-008069538DAF} - C:\WINDOWS\SYSTEM\DPJIKB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Privata Affarer - {4E7BD74F-2B8D-469E-C0FF-FD6DA4D5FA7D} - C:\WINDOWS\DOWNLO~1\PABAR.DLL
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\PROGRAM\NATIONALENCYKLOPEDIN\NE_SOKVERKTYG_20\NETOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Vanliga filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\PROGRAM\LAVASOFT AD-AWARE\AD-WATCH.EXE /min
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDHTML_1023.dll,InstantAccess
O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program\Palm\hotsync.exe
O4 - Startup: NE sökverktyg 2.0.lnk = C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeHotKey.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Sök i NE - res://C:\PROGRAM\NATIONALENCYKLOPEDIN\NE_SOKVERKTYG_20\NETOOLBAR.DLL/NeSearch.html
O8 - Extra context menu item: Översätt i NE - res://C:\PROGRAM\NATIONALENCYKLOPEDIN\NE_SOKVERKTYG_20\NETOOLBAR.DLL/NeTranslate.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/07120934e9e489225220/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37864.1705555556
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.1/del/loader.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1012_EN.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {11111111-1111-1111-1111-111111111113} - mhtml:file://C:NO_SUCH_MHT.MHT!http://38.113.193.2/420/whocares.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://webkc.support.telia.se/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://webkc.support.telia.se/sdccommon/download/tgctlsr.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD6DA4D5FA7D} (Privata Affarer) - http://www.privataaffarer.se/toolbar/pabar.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = telia.com



He is using Windows 98 and IE6

It seems to be the same problem I had, but I cant find my way around the 98 system.

Best regards
//Wilhelm
 
Joined
Jun 19, 2004
Messages
141
Oh damn its the about:blank hijack... that is a real SOB well I think i can help you out. Ill review the log now but just tell him to stop downloading so much stuff :)
 
Joined
Jun 19, 2004
Messages
141
OK first lets run HJT and delete the following, as usuall close all windows before clicking check fixed...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DPJIKB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {228EE981-C85B-11D8-B742-008069538DAF} - C:\WINDOWS\SYSTEM\DPJIKB.DLL


O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.1/del/loader.cab

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...UTH_1012_EN.cab

O16 - DPF: {11111111-1111-1111-1111-111111111113} - mhtml:file://C:NO_SUCH_MHT.MHT!http://38.113.193.2/420/whocares.exe

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab


Delete all those reboot and tell me if it did anything, along with a new HJT log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top