[Solved] Grrr!! IE Start Page Totally Hijacked and HijackThis Doesn't Help?!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

LOZ

Thread Starter
Account Closed
Joined
Oct 6, 2003
Messages
65
Hi all!

Ok. I've got IE 6 running on Windows 98 and some B.S. site has totally hijacked my start page. Whatever I set my start page to be, as soon as I turn the PC off and on again this same .cc country domain search site is back? Grrr! :mad: I downloaded HijackThis and checked items 1 through 8 and item 11 but still the .cc crud site comes back after start up. Please see my HijackThis log below.

Any help anyone can offer with getting rid of this annoyingly persistent hijacker would be gratefully appreciated!


Logfile of HijackThis v1.97.7
Scan saved at 12:11:30, on 15.4.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\MAPIICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
O4 - HKLM\..\Run: [RealTray] C:\Ohjelmatiedostot\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
O4 - Startup: PrecisionTime.lnk = C:\Ohjelmatiedostot\Mediasoitin\mplayer2.exe
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407
 
Joined
Nov 9, 2003
Messages
563
"Spybot - Search and Destroy"?

"Ad-Aware"?

"Browser Sentinel" will prevent further hijacks, too.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,578
I don't know if this is a variant of a CoolWebSearch or not but it wouldn't hurt to run the CWShredder program and see if that helps.

Download CWShredder

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer and post another log.

IMPORTANT! To help prevent this from happening again, you should install all the security patches and critical updates.

Cookie
 

LOZ

Thread Starter
Account Closed
Joined
Oct 6, 2003
Messages
65
CWShredder.exe did it! :) Thanks, Cookiegal!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,578
Great! Why don't you post another Hijack This log just to be sure.

Cookie (y)
 

LOZ

Thread Starter
Account Closed
Joined
Oct 6, 2003
Messages
65
Here's the latest results from HijackThis...

I now permanently have the start page I want in IE except for one tiny lingering problem... when I open IE for the first time after the computer has been restarted/switched on, I get a little advert(?) screen that comes up for only a few seconds. The screen is in nasty pink colours and it say "Web Trap 2002" or something like with a bunch of what look to me like Chinese characters below that. As I say, that seems to be the only lingering annoyance. Odd, huh? Btw, Spybot - Search & Destroy didn't help with getting rid of that. :confused:


Logfile of HijackThis v1.97.7
Scan saved at 19:41:25, on 15.4.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\MAPIICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Restart your computer.
 

LOZ

Thread Starter
Account Closed
Joined
Oct 6, 2003
Messages
65
Did as instructed, flrman1. Thanks for that. :)

Seems the nasty pink screen I mentioned in my last post is actually the virus protection on this PC. D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE :eek:

So, the computer's fixed and purring like a kitten. Thanks to all who offered help. To those people (and you know who you are) the drinks are on me! :cool:
 
Joined
Jul 26, 2002
Messages
46,349
Glad we could help! :)

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top