1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Grrr!! IE Start Page Totally Hijacked and HijackThis Doesn't Help?!

Discussion in 'Earlier Versions of Windows' started by LOZ, Apr 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    Hi all!

    Ok. I've got IE 6 running on Windows 98 and some B.S. site has totally hijacked my start page. Whatever I set my start page to be, as soon as I turn the PC off and on again this same .cc country domain search site is back? Grrr! :mad: I downloaded HijackThis and checked items 1 through 8 and item 11 but still the .cc crud site comes back after start up. Please see my HijackThis log below.

    Any help anyone can offer with getting rid of this annoyingly persistent hijacker would be gratefully appreciated!


    Logfile of HijackThis v1.97.7
    Scan saved at 12:11:30, on 15.4.2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ANVSHELL.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\MAPIICON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
    D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
    C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
    O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
    O4 - HKLM\..\Run: [RealTray] C:\Ohjelmatiedostot\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PrecisionTime.lnk = C:\Ohjelmatiedostot\Mediasoitin\mplayer2.exe
    O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407
     
  2. Katzy

    Katzy

    Joined:
    Nov 9, 2003
    Messages:
    563
    "Spybot - Search and Destroy"?

    "Ad-Aware"?

    "Browser Sentinel" will prevent further hijacks, too.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,191
    I don't know if this is a variant of a CoolWebSearch or not but it wouldn't hurt to run the CWShredder program and see if that helps.

    Download CWShredder

    http://www.spywareinfo.com/~merijn/files/CWShredder.exe

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer and post another log.

    IMPORTANT! To help prevent this from happening again, you should install all the security patches and critical updates.

    Cookie
     
  4. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    CWShredder.exe did it! :) Thanks, Cookiegal!
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,191
    Great! Why don't you post another Hijack This log just to be sure.

    Cookie (y)
     
  6. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    Here's the latest results from HijackThis...

    I now permanently have the start page I want in IE except for one tiny lingering problem... when I open IE for the first time after the computer has been restarted/switched on, I get a little advert(?) screen that comes up for only a few seconds. The screen is in nasty pink colours and it say "Web Trap 2002" or something like with a bunch of what look to me like Chinese characters below that. As I say, that seems to be the only lingering annoyance. Odd, huh? Btw, Spybot - Search & Destroy didn't help with getting rid of that. :confused:


    Logfile of HijackThis v1.97.7
    Scan saved at 19:41:25, on 15.4.2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ANVSHELL.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
    C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\MAPIICON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
    D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
    D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
    O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Restart your computer.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,191
    Thanks Flrman1...... ;)
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    No problem! :)
     
  10. LOZ

    LOZ Account Closed Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    65
    Did as instructed, flrman1. Thanks for that. :)

    Seems the nasty pink screen I mentioned in my last post is actually the virus protection on this PC. D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE :eek:

    So, the computer's fixed and purring like a kitten. Thanks to all who offered help. To those people (and you know who you are) the drinks are on me! :cool:
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Glad we could help! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220613

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice