[Solved] browser hack, plz review my HJT file

[Eddie_V]

ok I got 3 items I can't remove:

1: http://www.searchportal.info/ is always my startup page
2: casinopallazo pops up every now and then
3: and some weird popup blocker is getting back every now and then wich is removable in configurations-software, but when I do it just comes back the next day

I have ad-aware and spyhunter on my PC and zonalarm pro

here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 17:22:04, on 13-9-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetg\services.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Administrator\Bureaublad\Alex\mirc6.01\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Bureaublad\Mp3\temp\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/greencore/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.v73.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
F3 - REG:win.ini: run=C:\WINNT\inetg\services.exe
O1 - Hosts: 66.235.200.178 www.warfieldgames.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E3CFBD5-589D-4403-A60E-5CDB022F3528} - C:\WINNT\system32\dkbf.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetg\services.exe
O4 - HKLM\..\Run: [gnlcowi] C:\WINNT\system32\mjmfin.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetg\services.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...4dd4b7639727:02a2cd5f5ef86a6a9c5501e7089a2147
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games6.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


IF anyone could help me get rid of any of my problems I will be very gratefull

also is there a way to prevent myself from this to happen again?

greetz,
Eddie_V

 

[physician]

You have a bad bug. Wait for one of the guys that works on these - about:blank bug. You should make sure you have the latest versions of Adaware SE 1.4 and Spybot 1.3 with the latest updates. They don't protect you from about blank, but cleans up the other things. Spywareguard and spywareblaster are usually recommended around here too. Also make sure your OS is up to date and your antivirus too.
Here is about buster - don't run it, just download, unzip, install and then wait for help.

http://www.majorgeeks.com/download4289.html

adaware se 1.4
http://www.majorgeeks.com/download506.html
spybot
http://www.majorgeeks.com/download2471.html
spywareblaster
http://www.majorgeeks.com/download2859.html
spywareguard
http://www.majorgeeks.com/download3045.html

BHO Demon
http://www.majorgeeks.com/download3550.html
BHO Blaster
http://www.majorgeeks.com/download3786.html

When it comes to personal protection, one shouldn't mess around...doc

 

[Flrman1]

Hi Eddie_V

Welcome to TSG!


I recommend that you go to Add/Remove programs and uninstall SpyHunter. See here for more info:

http://www.lavasoftnews.com/theeye/i19/a1.html

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/greencore/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.v73.us

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)

F3 - REG:win.ini: run=C:\WINNT\inetg\services.exe

O1 - Hosts: 66.235.200.178 www.warfieldgames.com

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll

O2 - BHO: (no name) - {0E3CFBD5-589D-4403-A60E-5CDB022F3528} - C:\WINNT\system32\dkbf.dll (file missing)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll

O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe

O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetg\services.exe

O4 - HKLM\..\Run: [gnlcowi] C:\WINNT\system32\mjmfin.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load

O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetg\services.exe

O15 - Trusted Zone: www.mt-download.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...c5501e7089a2147

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games6.cab

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now find and delete these files:

C:\WINNT\system32\enbiei.exe
C:\WINNT\system32\mjmfin.exe

Delete these folders:

C:\WINNT\inetg
C:\Program Files\Web_Rebates

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Go here and download Adaware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

 

[Eddie_V]

ty for those pointers to the programs. I will check them out right now

I use Norton Antivirus wich is up to date and all available updates for my OS r installed

 

[Flrman1]

Eddie, we were posting at the same time. See my post above your last post.

 

[Eddie_V]

I noticed that, thnx for the fast reply I am almost done with your advise

only the two .exe files I could not delete cause they were not present and the link to the "why to remove spyhunter" did not work, but I removed it anyhow.

also I did not check the part in hjt about my host file cause I made the chance myself so I knew it wasn't anything bad.

so far it all looks good and also ty for that. I will make the last online viruscheck and then check it all out and will post here if it's all gone

 

[Flrman1]

 

[Eddie_V]

Well Flrman1, I owe you one ;-)

thanks for your great help, all browser hacks seem to be gone now. Any idea how I can prevent myself for infections like that? cause the service packs and ms updates seem to leave little holes.

 

[Flrman1]

You're Welcome!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

 

[Flrman1]

Glad we were able to help!

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".