1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Home page stuck on http://213.159.117.134/index.php

Discussion in 'Virus & Other Malware Removal' started by DeathfireD, Oct 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. DeathfireD

    DeathfireD Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    15
    Hi Iv seen a post like this before on this forum here http://forums.techguy.org/showthread.php?t=252173

    But I cant seem to get it to go away like the other guy did.

    Let me give you a little background as to how I got this. I was on a site and a java type app poped up and started downloading files I dident catch it in time. Next thing I know I have 5 viruses and 294 ad programs and 12 reg entrys. The first thing I did was Run Norton 2003 it took care of the Viruses. Next I used Ad aware 6.0 plus, build 162 and also used Spybot - Search & Destroy and HijackThis. After all that mess the programs took away almost all the stuff. So next I went into safe mode and did it all again.

    after that I shut down and started up again. I went on my web browser and it points to http://213.159.117.134/index.php. So i try and change it in the IE tools. But it wont let me. Next I tryed looking at the reg entrys and it put http://213.159.117.134/index.php in again as my home page and stuff. I tryed everything to fix this and I still get popups when I go on the web. So I guess I still have Ad problems?

    Well heres some info that will help you help me.

    My OS: Win 98SE

    Logfile of HijackThis v1.98.2
    Scan saved at 4:54:48 PM, on 10/17/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\WINDOWS\SYSTEM\JOMSLBH.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\DAN'S STUFF\AIM\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: jb3insw - {78C328E5-7BD1-A737-B50F-E817CA008EC2} - C:\WINDOWS\SYSTEM\JB3INSW.DLL
    O2 - BHO: (no name) - {6AAF1209-ED15-79E4-8753-60550DF27F4C} - C:\WINDOWS\SYSTEM\IDKEZYA.DLL
    O2 - BHO: (no name) - {988013BE-7AB7-48f4-992E-44C309D65A48} - C:\WINDOWS\SYSTEM\nlsman.dll
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Ad-aware] C:\DAN'S STUFF\AD-AWARE\AD-AWARE 6\AD-AWARE.EXE +c
    O4 - HKLM\..\Run: [Ad-watch] C:\DAN'S STUFF\AD-AWARE\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKLM\..\Run: [yrwwffzr] C:\WINDOWS\SYSTEM\jomslbh.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [AIM] C:\DAN'S STUFF\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\DAN'S STUFF\AIM\AIM.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.my-internet.info
    O16 - DPF: {C6AB80BC-7E87-11D4-8BBB-0001025F438B} (MP3.com DirectToDevice Control) - http://filedownloads.mp3.com/filedownloads/transfer2device/win/TransferToDevice.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://63.102.226.240:8000/Java/cfs31229.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...f92e68cfba8c:eb8a1fb09d00c5943edceabcca450006



    as you can see its a mess :(. Thanks for your help in advanced. Iv been up all night trying to fix this :(.
     
  2. Sponsor

  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  4. DeathfireD

    DeathfireD Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    15
    Ya hmmm that dident work. I also tryed that in safe mode. It goes threw and finds no traces of it. Any other ideas?
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi DeathfireD

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    R3 - Default URLSearchHook is missing

    O2 - BHO: jb3insw - {78C328E5-7BD1-A737-B50F-E817CA008EC2} - C:\WINDOWS\SYSTEM\JB3INSW.DLL

    O2 - BHO: (no name) - {6AAF1209-ED15-79E4-8753-60550DF27F4C} - C:\WINDOWS\SYSTEM\IDKEZYA.DLL

    O2 - BHO: (no name) - {988013BE-7AB7-48f4-992E-44C309D65A48} - C:\WINDOWS\SYSTEM\nlsman.dll

    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL

    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL

    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

    O4 - HKLM\..\Run: [yrwwffzr] C:\WINDOWS\SYSTEM\jomslbh.exe

    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)

    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.my-internet.info

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\SYSTEM\systime.exe
    C:\WINDOWS\SYSTEM\jomslbh.exe

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  6. DeathfireD

    DeathfireD Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    15
    OMG thanks alot. You worked wonders for me. Its gone....Im never going to another pron site again hahaha.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Wait a minute. I just noticed this:
    That is a very old version of Adaware. Adaware has been updated many times since that version. Did you not ever get an emails to get your upgrades? Sisnce you have the Plus (paid version) we will have to see what we can do about getting you your upgrade. That old version is basically useless.
     
  9. DeathfireD

    DeathfireD Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    15
    Ya I tryed hitting Update and stuff But It alwase tells me "there are no updates availible" or something like that. But then right after it tells me Go download Adaware Version bla bla and I can never find it. Also If i do find it Wont I have to pay again?
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    No you will not have to pay for it, but we need to get someone from Lavasoft to get you your info and a link so you can get the upgrade. You cannot get it from any public link. It will be a private link and you will be given a username and password.

    I have already PMed one of the administrators from Lavasoft and requested that he contact me to help get you the upgrade. I'll let you know when I hear back from him.
     
  11. DeathfireD

    DeathfireD Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    15
    thanks!!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/285837