1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PLEASE HELP ASAP, Don't know what is going on

Discussion in 'Virus & Other Malware Removal' started by mzak, Sep 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    I am screwed

    I can't get rid of default homepage http://213.159.117.134/index.php and this dialer that keeps popping up saying" PLease select your country"
    Does anyone know what is going on?????????????? (Maybe some porn site)

    Logfile of HijackThis v1.98.2
    Scan saved at 11:43:27 AM, on 22/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Windows SyncroAd\SyncroAd.exe
    C:\WINDOWS\System32\dktime.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\dktime.exe
    C:\Documents and Settings\pyeoh\Application Data\cinkn?.exe
    C:\Program Files\Windows SyncroAd\WinSync.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wisptis.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\pyeoh\Local Settings\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
    O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O4 - HKCU\..\Run: [Owst] C:\Documents and Settings\pyeoh\Application Data\cinkn?.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O16 - DPF: {56D00FBB-F232-0120-9CCB-5DF92262F3F4} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {6439B596-13FE-44FE-4B6E-02147DBE3F3B} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {6FADE86D-B3C4-15B2-6934-7FE255C5BF3E} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Infracorp.local
    O17 - HKLM\Software\..\Telephony: DomainName = Infracorp.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B85B2CC5-7AFC-436D-801A-5F3F88EA3858}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Infracorp.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Infracorp.local

    Please help I am desperate

    sorry just wanted to add this new hijack this w/o other stuff running

    Logfile of HijackThis v1.98.2
    Scan saved at 11:51:24 AM, on 22/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Windows SyncroAd\SyncroAd.exe
    C:\WINDOWS\System32\dktime.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\dktime.exe
    C:\Documents and Settings\pyeoh\Application Data\cinkn?.exe
    C:\Program Files\Windows SyncroAd\WinSync.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wisptis.exe
    C:\Documents and Settings\pyeoh\Local Settings\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
    O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O4 - HKCU\..\Run: [Owst] C:\Documents and Settings\pyeoh\Application Data\cinkn?.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O16 - DPF: {56D00FBB-F232-0120-9CCB-5DF92262F3F4} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {6439B596-13FE-44FE-4B6E-02147DBE3F3B} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {6FADE86D-B3C4-15B2-6934-7FE255C5BF3E} - http://213.159.117.150/1/rdgAU10.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Infracorp.local
    O17 - HKLM\Software\..\Telephony: DomainName = Infracorp.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B85B2CC5-7AFC-436D-801A-5F3F88EA3858}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Infracorp.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Infracorp.local

    Thanks once again. If the problem is solved I will be glad to donate some money.

    cheers
     
  2. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    Open up Internet Explorer
    Go to
    Tools
    Internet Options...
    Change your homepage to whatever you want.
    click ok
    exit all internet windows

    Eliminate EVERYTHING BUT: (The second log)

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

    let us know how it goes...
     
  3. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    Dear Abdhul,

    what do you mean eliminate everything,

    do you mean fix checked everything from hijack this except the two lines you mentioned.

    do i then need to open in safe mode or something??

    Please clarify, I am not a techical person, just learnt all this last night

    Zak
     
  4. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    sorry.

    "do you mean fix checked everything from hijack this except the two lines you mentioned."

    Yes

    then restart your computer.
     
  5. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    Mzak DO NOT remove anything in your Hi Jack This log WAIT for someone skilled in analyzing your Hi Jack log If it is done wrong you will have more trouble . Please be patient .
     
  6. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    If any of your programs have problems, restore these from backup.

    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O4 - HKCU\..\Run: [Owst] C:\Documents and Settings\pyeoh\Application Data\cinkn?.exe
    O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
    O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
     
  7. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    Dust Sailor:

    sorry, but I do know what I am talking about, if you think this thread needs someone more experienced perhaps you should ask someone to help rather than scaring people off from doing something virtually harmless.

    I have never, ever, ever, seen a computer crash because someone removed all their hijackthis entries. have you ever tried it?
     
  8. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    [email protected]#T when and deleted everything on Hijack this like Abdhul said except for the two things, the new file is below. oooops , shoulda taken my time, but at least now I can reset my new homepage to www.smh.com.au. and so far no popups yet???????
    What do i do now


    Logfile of HijackThis v1.98.2
    Scan saved at 1:03:17 PM, on 22/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows SyncroAd\SyncroAd.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Windows SyncroAd\WinSync.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
     
  9. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    also forgot to boot up in safe mode
     
  10. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    so what is the problem?

    if you are worried about what processes are running you could always try "msconfig
    happy to help you with that if so.
     
  11. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    Thanks Abdhul
    don't know what MSCONFIG is but I'll just keep doing my work and if anything is odd I will contact you, but all seems to be well. whadayathink of the latest logfile I posted

    Zak
     
  12. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    looks ok, personally I would eliminate some of the processes just because of personal preference, but they shouldn't pose any real problem.
     
  13. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    Sorry, eliminate what, what are the processes, is it the Hijack this thing again, which line should I take out
     
  14. Abdhul

    Abdhul

    Joined:
    Apr 20, 2004
    Messages:
    275
    sorry, I went all technical on you...

    processes are applications that are running, but they aren't visible.

    the ones I would eliminate are the uneeded ones, but what is uneeded for me might be important for you, so I wouldn't worry about it to much.

    you would eliminate these with msconfig - if you want to it is pretty easy (for me anyway....)
     
  15. mzak

    mzak Thread Starter

    Joined:
    Sep 21, 2004
    Messages:
    7
    I'll just leave these ones but if I run into any more probs, will contact you

    cheers

    Zak

    ps: you are a lifesaver
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276673

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice