Smart-Security browser hijacker

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

pat100

Thread Starter
Joined
Jun 19, 2004
Messages
69
Hello,
I was browsing the internet yesterday and found myself to have gotten a browser hijacker (never got one before). I didnt notice until I had lowered all the windows a saw a big advertisement on my desktop. Anyway, I had Ran Spybot 1.3 and Adaware 6. The problems I was experience were:
the homepage would always redirect itself and would ask to install a "security" thing, and a pop-up says you must click yes (and forcably repeats itself so you have to close everything quickly). Well, I got around the desktop part by going to Start>Control Panel>Display>Desktop>Customize Desktop..and unclicking a security thing for the page. Well, now that I have my wallpaper back to normal, I'm only faced with 2 annoying problems. I finished running Spybot and adaware (finding several problems), I reboot and the page still redirects itself to the same homepage (after changing it back to normal), and 3 favorites keep popping back up (after deleting them). I'm very sure the original desktop file is still on my computer (I believe it was C:/Windows/Web/desktop/desktop.html). Well, I cannot update to SP1, so I'm left with this log and whatever security updates it may have..

Logfile of HijackThis v1.97.7
Scan saved at 11:33:10 PM, on 7/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\sistray.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Headrick\Local Settings\Temporary Internet Files\Content.IE5\MDFGPSJ2\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38117.3431944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4362/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB782D5-9651-46E2-85CD-D836D8BFE646}: NameServer = 211.133.144.233 211.133.144.234

Thanks in advance!!
 

pat100

Thread Starter
Joined
Jun 19, 2004
Messages
69
I did all that and here is what I got from the log...

Logfile of HijackThis v1.97.7
Scan saved at 12:25:44 AM, on 7/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Headrick\Local Settings\Temporary Internet Files\Content.IE5\JJDBFHSW\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38117.3431944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4362/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB782D5-9651-46E2-85CD-D836D8BFE646}: NameServer = 211.133.144.233 211.133.144.234

thanks for the help!
 

pat100

Thread Starter
Joined
Jun 19, 2004
Messages
69
Ok, I looked through the list of files listed up there and some are related to other Hijackers and are trojans.

The following lines were checked and fixed by hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://woar.directwebsearch.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://woar.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://woar.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://woar.directwebsearch.net/search.php
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.252/bonus.chm::/winpromo.exe

Make sure you re-run the Spybot program to get the remaining entries (Adaware 6 couldnt find anything of this).
Delete the favorites that arent needed and change your homepage to whatever you had originally to avoid the pop-up and download on demand thing again.
 

pat100

Thread Starter
Joined
Jun 19, 2004
Messages
69
Ok, everything seems to run perfect now, I have no problems whatsoever. I did a scan again after reboot and the old 5 items that appear as exploits (in spybot) reappeared. But nothing has happened..Well, here's an update on my log...

Logfile of HijackThis v1.97.7
Scan saved at 12:49:28 AM, on 7/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Richard Headrick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38117.3431944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4362/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB782D5-9651-46E2-85CD-D836D8BFE646}: NameServer = 211.133.144.233 211.133.144.234
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top