Hijacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Ok gang. Home page has been hijacked.

Ad-AwareSE.
Spywareblaster.
Spybot S&D.
PestPatrol.
PCPowerScan.
McAfee AV and Firewall.
CWShredder.
Panda.
Ravantivirus.
Housecall.

I don't know why symantec comes up. I've run manual updates on everything to make sure that I am running current - I least I hope I am.

Windows Millennium.
Compaq Presario 5WV254
700MHz AMD Duron Processor.
64MB Memory.
20.0GB Hard Drive.
56K Modem.

If I haven't provided enough information, I can add more from Everest Home Edition.

I can't download from Windows Update for the IE 6 upgrade. That's the only available critical update that comes up. I only have IE 5. After downloading the critical update, upon restart, I get a message that the shortcut to Resume Windows Update.lnk is unavailable.

When I log into my hotmail home page, a few minutes later, I get the box that says I will be directed to somewhere else. If I choose yes or no, I am immediately transferred. If I click on the close X, the transfer doesn't happen. However, I would like to be rid of that thing and after running everything I can whichever way, it seems to keep coming back.

I saw in CWShredder where I could install a patch or get rid of the Java thang (for lack of remembering exactly what it said). I haven't tried that yet.

I am between a newbie and intermediate user depending on what I'm doing. Here is my HijackThis report run from safe mode with all hidden files unhidden. I believe I got it right. If I haven't, just send me in the direction I must go. Thanks in advance for your consideration.

Logfile of HijackThis v1.98.2
Scan saved at 9:16:45 PM, on 9/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pct: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
I guess I must have been overlooked. What I am concerned about besides this hijack is, I would like to check on my bank accounts and I would like to donate to this site, but I don't know what the hijack is doing. Can I check internet accounts and donate to this site if I've been hijacked? Won't passwords, etc. be compromised? I also went to internet options and changed the Active X selections to prompt, prompt, and disable. I tried to enter Techguy in the trusted zone, but I can't because the addy is http instead of https. I'm stuck.
 
Joined
Jul 26, 2002
Messages
46,349
I don't see any sign of any hijack in your log.

Please tell us exactly what is happening that makes you think you are hijacked.

Also please scan again with Hijack This in normal mode not safe mode and show us that log.
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Thank you so much for responding flrman1. When I open IE, a box comes up that says I am being directed to a new site, which is why I thought I was hijacked. I also can't download the Windows Update for IE. I will shut down and start all over to get the exact wording in that box. Whenever it comes up, I don't answer yes or no, I just close it and I don't get redirected. Will run HJT in normal.
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Odd. That box didn't come up this time. CWShredder is also missing from my desktop now. Here's the HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 7:38:50 AM, on 9/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O12 - Plugin for .htm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pct: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx

Again, thank you so much for your assistance.
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Well, the first time that box came up, it said I was going to be redirected but did not say where. It asked if I wanted to continue...'yes' box plus 'no' box. I clicked on 'no' and the box closed and another box popped up that had 'about blank' at the top. There was no other information in that box, but I quickly hit the close 'x', closed IE, disconnected, and shut down. I didn't want to get hijacked. I'd read about this 'about blank' in here. So, I ran all my spyware and anitvirus programs. Did online scans. I cleared my temporary internet files. I emptied all the junk in my recycle bin. Restarted. But, upon opening IE again, that redirecting box came back. I decided not to select 'yes' or 'no' and just hit the close 'x' instead. The box went away and 'about blank' didn't show up. So, I repeated running av's, spyware, online programs, etc., thinking that I could get rid of that redirecting box. It came back next time I restarted. So, I stopped logging into IE with my name and password. No redirecting box comes up if I don't enter my name and password. I just opened IE to come here and read more to learn more for a few days. Then, I found PestPatrol, which is supposed to prevent password theft and I went ahead and logged into IE and that dang redirecting box came back. I clicked on the close 'x', did not get redirected and that is when I posted, thinking I had been hijacked or attempts were being made to hijack my home page. After your response today, I logged into IE normally, and no redirecting box came up. I waited for awhile to see if it would. I don't know why this redirecting box keeps coming up. The more I read, the more I learn, but I don't understand what is happening because of this redirecting box. And, I wonder what happened to CWShredder? I've never emptied my Temp files or Offline files. I read about it in here, but I don't know what those are. Well, that's why I thought I was being hijacked. What is that redirecting box? Is that just an attempt to hijack and when I hit the close 'x', does that stop the redirection? I hope this makes some kind of sense. I obviously don't know what I am doing.
 
Joined
Jul 26, 2002
Messages
46,349
Click here to download StartDreck.

UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Put a check by these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Now click the Save button to save that log.

Copy and Paste the contents of that log back here and await further instructions.
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Thank you flrman1. Here is the 'StartDreck.exe' log.

StartDreck (build 2.1.7 public stable) - 2004-09-13 @ 09:40:48 (GMT -07:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as mizzmo at COMPUTER

»Registry
»Run Keys
»Current User
»Run
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
»RunOnce
*QRIA=
»Default User
»Run
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
»RunOnce
*QRIA=
»Local Machine
»Run
*CountrySelection=pctptt.exe
*PTSNOOP=ptsnoop.exe
*CpqBootPerfDb=C:\Cpqs\Scom\CpqBootPerfDb.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*SystemTray=SysTray.Exe
*Hidserv=Hidserv.exe run
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*OEMCleanup=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*MCUpdateExe=C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
*MCAgentExe=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
*VSOCheckTask="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
*VirusScan Online=C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
*LoadQM=loadqm.exe
*MotiveMonitor=C:\Program Files\Motive\motmon.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*LexStart=Lexstart.exe
*PCTVOICE=pctvoice.exe
*CPQInet=c:\compaq\CPQInet\CpqInet.exe
*MPFExe=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
*PPMemCheck=C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
*PestPatrol Control Center=C:\PROGRA~1\PESTPA~1\PPControl.exe
*CookiePatrol=C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
*PCBG=C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
*McVsRte=C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FFEFAD11=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFEBF1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE0A31=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0075=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB0DD=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE813D=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
+FFFE93D9=C:\WINDOWS\EXPLORER.EXE
+FFFD7849=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFDDBB9=C:\WINDOWS\ptsnoop.exe
+FFFC68A5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC5B05=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFCEB45=C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
+FFFCC179=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFB39D9=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFB0E55=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
+FFFC94D1=C:\WINDOWS\LOADQM.EXE
+FFFC88C5=C:\WINDOWS\TASKMON.EXE
+FFFCC031=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
+FFFB6559=C:\WINDOWS\PCTVOICE.EXE
+FFFB71ED=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFB42F5=C:\COMPAQ\CPQINET\CPQINET.EXE
+FFFBB879=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFB96F1=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
+FFFBF189=C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
+FFFA2B8D=C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
+FFFA6A3D=C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
+FFFA7B75=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
+FFFBECB9=C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
+FFFAE689=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFF947E1=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
+FFF72A79=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
+FFF75DB9=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
+FFF77131=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF79E25=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFDEA4D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF40F0D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF2B291=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF4F091=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
»Application specific
 
Joined
Jul 26, 2002
Messages
46,349
I don't see anything there either.

Can you post a screenshot of this box that pops up?
 

mizzzfrizzz

Thread Starter
Joined
Mar 27, 2004
Messages
83
Ok... I logged off IE. I logged back on. Before I could type my password to sign in, the box came back up. I tried to copy it by right clicking to select copy. What came up was 'Move' or 'Close'. I left-clicked in a blank area of the screen to get rid of that.

This is what the box looked like: Blue bar at the top with 'Internet Redirection' at the left and a close 'x' at the right The rest of the box was gray (I have no display - just Standard - display colors may not be correct). In the upper left was a padlock partially covered with a white circle containing a blue 'i'. The body of the gray area contained this wording: You are about to be directed to a new internet site. Any information you exchanged with the current site could be transmitted to the new internet site you are about to connect with. Do you wish to continue? Below that wording were the YES or NO buttons. At the bottom of the gray area there is a white check box. Wording next to the white check box: In future do not show this warning.

I clicked on the close 'x' to get rid of the box. I was not redirected and I did not sign in to IE with my name and password. I came directly here. Is there another method to capture the box to paste here?
 
Joined
Jul 26, 2002
Messages
46,349
Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "Calculate MD5 of files if possible". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.
 
Joined
Jul 26, 2002
Messages
46,349
amkhan

This is mizzzfrizzz's thread. I split the post that you made earlier in this thread out and gave you your own thread here:

http://forums.techguy.org/t273552.html

The startuplist request was not for you, it was for mizzzfrizzz. I have given you directions to follow in the other thread that I gave you. Please follow those directions in that thread and make all posts regarding your problem in that thread, not this one. Leave this one too mizzzfrizzz. It is entirely too confusing to try and help two people in the same thread.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top