1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Homepage Hijacked: mypoiskovik.com/index.htm

Discussion in 'Virus & Other Malware Removal' started by kylejatl, Sep 11, 2004.

Thread Status:
Not open for further replies.
  1. kylejatl

    kylejatl Thread Starter

    Joined:
    May 15, 2004
    Messages:
    57
    I'm hoping someone can help me with this - I've attached my HJT log, and this 'bug' has also populated my FAVORITES list with unwanted websites.

    I appreciate your assistance - thank you!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Free Surfer\fs.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\AIM95\aim.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Picasa\PicasaMediaDetector.exe
    C:\Documents and Settings\Owner\My Documents\Hijack This\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://snciis3.shopnchek.com/tsweb/msrdp.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Move HijackThis to it's own permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in
    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    Print these instructions as you need to have IE closed from all of the fixes listed below.

    Please check your settings so that you are able to Show Hidden Files and Folders

    With ONLY HijackThis running
    Place a check next to these entries:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - Global Startup: winlgn.exe

    THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

    Reboot to safe mode (instructions)

    Find and delete the following files/folders:-
    C:\WINDOWS\svchost.exe <-----NOTE the location; this is NOT the valid svchost in system32 folder[/color]
    You will have to search for the following files with Start>Search>Files and Folders:
    winlgn.exe
    Make sure you delete all instances of the files you find.

    Go to Start>Run>type %temp% (include %)>Enter>Your temp folder will open>select and remove everything you are able to delete. (there is always a couple of files that will NOT delete)

    Check for the new version (1.98.2)of HijkackThis by using Config>Misc Tools>"check for online update" button. If the server is busy or just down you can download it from zerosrealm.

    Then Reboot and post a fresh log back to this thread.
    PS make sure you post the entire HJT log...you cut the top 'header' info off on this one..also make sure you have version 1.98.2
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Homepage Hijacked mypoiskovik
  1. ated19
    Replies:
    4
    Views:
    751
  2. genubi
    Replies:
    0
    Views:
    300
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272780

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice