1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked

Discussion in 'Virus & Other Malware Removal' started by mizzzfrizzz, Sep 12, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Ok gang. Home page has been hijacked.

    Ad-AwareSE.
    Spywareblaster.
    Spybot S&D.
    PestPatrol.
    PCPowerScan.
    McAfee AV and Firewall.
    CWShredder.
    Panda.
    Ravantivirus.
    Housecall.

    I don't know why symantec comes up. I've run manual updates on everything to make sure that I am running current - I least I hope I am.

    Windows Millennium.
    Compaq Presario 5WV254
    700MHz AMD Duron Processor.
    64MB Memory.
    20.0GB Hard Drive.
    56K Modem.

    If I haven't provided enough information, I can add more from Everest Home Edition.

    I can't download from Windows Update for the IE 6 upgrade. That's the only available critical update that comes up. I only have IE 5. After downloading the critical update, upon restart, I get a message that the shortcut to Resume Windows Update.lnk is unavailable.

    When I log into my hotmail home page, a few minutes later, I get the box that says I will be directed to somewhere else. If I choose yes or no, I am immediately transferred. If I click on the close X, the transfer doesn't happen. However, I would like to be rid of that thing and after running everything I can whichever way, it seems to keep coming back.

    I saw in CWShredder where I could install a patch or get rid of the Java thang (for lack of remembering exactly what it said). I haven't tried that yet.

    I am between a newbie and intermediate user depending on what I'm doing. Here is my HijackThis report run from safe mode with all hidden files unhidden. I believe I got it right. If I haven't, just send me in the direction I must go. Thanks in advance for your consideration.

    Logfile of HijackThis v1.98.2
    Scan saved at 9:16:45 PM, on 9/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
    O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O12 - Plugin for .htm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O12 - Plugin for .pct: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx
     
  2. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    I guess I must have been overlooked. What I am concerned about besides this hijack is, I would like to check on my bank accounts and I would like to donate to this site, but I don't know what the hijack is doing. Can I check internet accounts and donate to this site if I've been hijacked? Won't passwords, etc. be compromised? I also went to internet options and changed the Active X selections to prompt, prompt, and disable. I tried to enter Techguy in the trusted zone, but I can't because the addy is http instead of https. I'm stuck.
     
  3. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see any sign of any hijack in your log.

    Please tell us exactly what is happening that makes you think you are hijacked.

    Also please scan again with Hijack This in normal mode not safe mode and show us that log.
     
  5. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Thank you so much for responding flrman1. When I open IE, a box comes up that says I am being directed to a new site, which is why I thought I was hijacked. I also can't download the Windows Update for IE. I will shut down and start all over to get the exact wording in that box. Whenever it comes up, I don't answer yes or no, I just close it and I don't get redirected. Will run HJT in normal.
     
  6. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Odd. That box didn't come up this time. CWShredder is also missing from my desktop now. Here's the HJT log.

    Logfile of HijackThis v1.98.2
    Scan saved at 7:38:50 AM, on 9/13/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
    O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
    O12 - Plugin for .htm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O12 - Plugin for .pct: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/activex/HMAtchmt.ocx

    Again, thank you so much for your assistance.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I still see nothing in your log.

    What site are you redirected to?
     
  8. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Well, the first time that box came up, it said I was going to be redirected but did not say where. It asked if I wanted to continue...'yes' box plus 'no' box. I clicked on 'no' and the box closed and another box popped up that had 'about blank' at the top. There was no other information in that box, but I quickly hit the close 'x', closed IE, disconnected, and shut down. I didn't want to get hijacked. I'd read about this 'about blank' in here. So, I ran all my spyware and anitvirus programs. Did online scans. I cleared my temporary internet files. I emptied all the junk in my recycle bin. Restarted. But, upon opening IE again, that redirecting box came back. I decided not to select 'yes' or 'no' and just hit the close 'x' instead. The box went away and 'about blank' didn't show up. So, I repeated running av's, spyware, online programs, etc., thinking that I could get rid of that redirecting box. It came back next time I restarted. So, I stopped logging into IE with my name and password. No redirecting box comes up if I don't enter my name and password. I just opened IE to come here and read more to learn more for a few days. Then, I found PestPatrol, which is supposed to prevent password theft and I went ahead and logged into IE and that dang redirecting box came back. I clicked on the close 'x', did not get redirected and that is when I posted, thinking I had been hijacked or attempts were being made to hijack my home page. After your response today, I logged into IE normally, and no redirecting box came up. I waited for awhile to see if it would. I don't know why this redirecting box keeps coming up. The more I read, the more I learn, but I don't understand what is happening because of this redirecting box. And, I wonder what happened to CWShredder? I've never emptied my Temp files or Offline files. I read about it in here, but I don't know what those are. Well, that's why I thought I was being hijacked. What is that redirecting box? Is that just an attempt to hijack and when I hit the close 'x', does that stop the redirection? I hope this makes some kind of sense. I obviously don't know what I am doing.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download StartDreck.

    UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe'
    First click on the config button.
    Now click the Unmark all button
    Put a check by these boxes only:
    *Registry->run keys
    *Registry->Browser helper objects
    *System/drivers> Running processes
    hit >ok.

    Now click the Save button to save that log.

    Copy and Paste the contents of that log back here and await further instructions.
     
  10. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Thank you flrman1. Here is the 'StartDreck.exe' log.

    StartDreck (build 2.1.7 public stable) - 2004-09-13 @ 09:40:48 (GMT -07:00)
    Platform: Windows ME (Win 4.90.3000 )
    Internet Explorer: 5.50.4134.0100
    Logged in as mizzmo at COMPUTER

    »Registry
    »Run Keys
    »Current User
    »Run
    *msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    »RunOnce
    *QRIA=
    »Default User
    »Run
    *msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    »RunOnce
    *QRIA=
    »Local Machine
    »Run
    *CountrySelection=pctptt.exe
    *PTSNOOP=ptsnoop.exe
    *CpqBootPerfDb=C:\Cpqs\Scom\CpqBootPerfDb.exe
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *SystemTray=SysTray.Exe
    *Hidserv=Hidserv.exe run
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *OEMCleanup=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *MCUpdateExe=C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
    *MCAgentExe=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    *VSOCheckTask="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    *VirusScan Online=C:\PROGRA~1\MCAFEE.COM\VSO\MCVSSHLD.EXE
    *LoadQM=loadqm.exe
    *MotiveMonitor=C:\Program Files\Motive\motmon.exe
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *LexStart=Lexstart.exe
    *PCTVOICE=pctvoice.exe
    *CPQInet=c:\compaq\CPQInet\CpqInet.exe
    *MPFExe=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    *PPMemCheck=C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    *PestPatrol Control Center=C:\PROGRA~1\PESTPA~1\PPControl.exe
    *CookiePatrol=C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    *PCBG=C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
    *SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *McVsRte=C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRTE.EXE /embedding
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Browser Helper Objects (LM)
    *{53707962-6F74-2D53-2644-206D7942484F}
    `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    »Files
    »System/Drivers
    »Running Processes
    +FFEFAD11=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    +FFFFEBF1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    +FFFE0A31=C:\WINDOWS\SYSTEM\mmtask.tsk
    +FFFE0075=C:\WINDOWS\SYSTEM\MPREXE.EXE
    +FFFEB0DD=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    +FFFE813D=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    +FFFE93D9=C:\WINDOWS\EXPLORER.EXE
    +FFFD7849=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    +FFFDDBB9=C:\WINDOWS\ptsnoop.exe
    +FFFC68A5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    +FFFC5B05=C:\WINDOWS\SYSTEM\HIDSERV.EXE
    +FFFCEB45=C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    +FFFCC179=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    +FFFB39D9=C:\WINDOWS\SYSTEM\MSTASK.EXE
    +FFFB0E55=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    +FFFC94D1=C:\WINDOWS\LOADQM.EXE
    +FFFC88C5=C:\WINDOWS\TASKMON.EXE
    +FFFCC031=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    +FFFB6559=C:\WINDOWS\PCTVOICE.EXE
    +FFFB71ED=C:\WINDOWS\SYSTEM\LEXBCES.EXE
    +FFFB42F5=C:\COMPAQ\CPQINET\CPQINET.EXE
    +FFFBB879=C:\WINDOWS\SYSTEM\RPCSS.EXE
    +FFFB96F1=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
    +FFFBF189=C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    +FFFA2B8D=C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    +FFFA6A3D=C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    +FFFA7B75=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    +FFFBECB9=C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
    +FFFAE689=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    +FFF947E1=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    +FFF72A79=C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
    +FFF75DB9=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
    +FFF77131=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    +FFF79E25=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    +FFFDEA4D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    +FFF40F0D=C:\WINDOWS\SYSTEM\DDHELP.EXE
    +FFF2B291=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    +FFF4F091=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
    »Application specific
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see anything there either.

    Can you post a screenshot of this box that pops up?
     
  12. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    I think I can. I will restart IE to see if it comes up again.
     
  13. mizzzfrizzz

    mizzzfrizzz Thread Starter

    Joined:
    Mar 27, 2004
    Messages:
    80
    Ok... I logged off IE. I logged back on. Before I could type my password to sign in, the box came back up. I tried to copy it by right clicking to select copy. What came up was 'Move' or 'Close'. I left-clicked in a blank area of the screen to get rid of that.

    This is what the box looked like: Blue bar at the top with 'Internet Redirection' at the left and a close 'x' at the right The rest of the box was gray (I have no display - just Standard - display colors may not be correct). In the upper left was a padlock partially covered with a white circle containing a blue 'i'. The body of the gray area contained this wording: You are about to be directed to a new internet site. Any information you exchanged with the current site could be transmitted to the new internet site you are about to connect with. Do you wish to continue? Below that wording were the YES or NO buttons. At the bottom of the gray area there is a white check box. Wording next to the white check box: In future do not show this warning.

    I clicked on the close 'x' to get rid of the box. I was not redirected and I did not sign in to IE with my name and password. I came directly here. Is there another method to capture the box to paste here?
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "Calculate MD5 of files if possible". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    amkhan

    This is mizzzfrizzz's thread. I split the post that you made earlier in this thread out and gave you your own thread here:

    http://forums.techguy.org/t273552.html

    The startuplist request was not for you, it was for mizzzfrizzz. I have given you directions to follow in the other thread that I gave you. Please follow those directions in that thread and make all posts regarding your problem in that thread, not this one. Leave this one too mizzzfrizzz. It is entirely too confusing to try and help two people in the same thread.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Hijacked
  1. genubi
    Replies:
    0
    Views:
    278
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273015

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice