1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My Browser Is Hijacked By:

Discussion in 'Virus & Other Malware Removal' started by KTOP, Jan 28, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. KTOP

    KTOP Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    Hello my browser is hijacked by:
    Logfile of HijackThis v1.99.0
    Scan saved at 02:24:24 p.m., on 27/01/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\KEYHOOK.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\VPEXRT.EXE
    C:\WINDOWS\SYSTEM\SISTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {A0A686E1-F4D5-4588-FA6E-9B33C7152B24} - C:\WINDOWS\SYSTEM\APPNC.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {7CBDEAA1-6FC2-11D9-8E68-000D50576545} - C:\WINDOWS\SYSTEM\PBDC.DLL
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARCHIV~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\NORTON~1\VPTRAY.EXE
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\SYSTEM\keyhook.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [rtvscn95] C:\ARCHIV~1\NORTON~1\RTVSCN95.EXE
    O4 - HKLM\..\RunServices: [defwatch] C:\ARCHIV~1\NORTON~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
    O4 - Startup: Image Transfer.lnk = C:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.54.64.190/wg_webeye.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
    O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = entelchile
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.72.1.5,200.72.1.11
    O18 - Filter: text/html - {E9C3AE21-706A-11D9-8E68-000D99F08FC3} - C:\WINDOWS\SYSTEM\PBDC.DLL
    O18 - Filter: text/plain - {E9C3AE21-706A-11D9-8E68-000D99F08FC3} - C:\WINDOWS\SYSTEM\PBDC.DLL

    whish of this can i delete?
    Thanx!!!! Ktop. (y)
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Dump Spyware Begone – it is junk
    You have 2 AV’s running – one needs to be stopped

    CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
    Close all browser windows, Open cwshredder.exe then click "Fix" and let
    it run.

    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

    Print this


    Boot to safe mode and fix

    All R0 and R1 entries

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {A0A686E1-F4D5-4588-FA6E-9B33C7152B24} - C:\WINDOWS\SYSTEM\APPNC.DLL (file missing)

    O2 - BHO: (no name) - {7CBDEAA1-6FC2-11D9-8E68-000D50576545} - C:\WINDOWS\SYSTEM\PBDC.DLL

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARCHIV~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)

    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)

    O18 - Filter: text/html - {E9C3AE21-706A-11D9-8E68-000D99F08FC3} - C:\WINDOWS\SYSTEM\PBDC.DLL

    O18 - Filter: text/plain - {E9C3AE21-706A-11D9-8E68-000D99F08FC3} - C:\WINDOWS\SYSTEM\PBDC.DLL

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\SYSTEM\PBDC.DLL


    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. KTOP

    KTOP Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    Thank you very mush!!!..... one more question:the file: C:\WINDOWS\SYSTEM\PBDC.DLL
    have to be deleted after all the procedure it's done or i could start deleting it.......i must delete all the files containing :"C:\WINDOWS\SYSTEM\PBDC.DLL" (sorry for my ignorance)
    Thanks again!!!
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do it in the sequence specified - you will delete the file at the end, but need to get the 3 entries
     
  5. KTOP

    KTOP Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    Thak you very mush MFDnSC, somebody else did it for me (I'd really ruin it ).......the problem it's fixed and this is the new log:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:00:05 p.m., on 04/02/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\KEYHOOK.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\VPEXRT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    C:\BITWARE\VIEWFAX.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dvdempire.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\NORTON~1\VPTRAY.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\SYSTEM\keyhook.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\ARCHIV~1\NORTON~1\RTVSCN95.EXE
    O4 - HKLM\..\RunServices: [defwatch] C:\ARCHIV~1\NORTON~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: www.batuta.cl
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted IP range: 64.127.104.144
    O15 - Trusted IP range: 64.127.104.144 (HKLM)
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = entelchile
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.72.1.5,200.72.1.11
    O21 - SSODL: System - {68576040-D9BE-11D8-8E68-000D87B1F72C} - (no file)

    thanks again!!!!!!!
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Need to run again - Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute

    Fix this entry - O21 - SSODL: System - {68576040-D9BE-11D8-8E68-000D87B1F72C} - (no file)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324280

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice