1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Hijacked by http://4bf65.ilxt.info/

Discussion in 'Virus & Other Malware Removal' started by Satin O'Marl, Aug 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    I've seen a couple of other threads mentioning this same problem, but most advised starting a new one if you had the same problem, so here goes...

    Four major things happen. Least annoying is that my homepage constantly resets to "about:blank" a 'my search' page of some description. (I never open my homepage, but from the little telstra button on the bottom right...)

    Also, two entries constantly re-appear in my favourites after being deleted.

    Finally, I get constant pop-ups screaming at me about spyware, and whenever I try to use hotmail it re-directs me to this search page... only hotmail though, no other sites.

    I've got an up-to-date virus scanner and firewall, but nothing comes up...

    So... can someone help an internet-illiterate fool fix his silly problem? :confused:

    Oh yeah, I run Windows Xp, Internet explorer (the latest one I think... don't know what number...).
     
  2. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    Erg... **Goes and gets HjT**

    Ok, here's my log:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:04:36 PM, on 11/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\program files\Telstra\Signup\tbpt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\Program Files\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\PC-cillin 2002\PCCCLIENT.EXE
    C:\Program Files\PC-cillin 2002\PCCGUIDE.EXE
    C:\Program Files\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\PC-cillin 2002\POP3TRAP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Andrews Stuff\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://dka.directwebsearch.net/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://dka.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://dka.directwebsearch.net/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dka.directwebsearch.net/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SATINO~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7CA06220-2AF2-40C5-BB82-F45A6E3AB3A5} - C:\WINDOWS\System32\ejgae.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
    O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.187/winsearchie32.chm::/winsearchie32.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O18 - Filter: text/html - {9A121D61-9AC0-47CB-979D-8BE001A9BAB1} - C:\WINDOWS\System32\ejgae.dll
    O18 - Filter: text/plain - {9A121D61-9AC0-47CB-979D-8BE001A9BAB1} - C:\WINDOWS\System32\ejgae.dll

    Wow, that's a lot of text I don't understand.... **Whistles**
    Help?
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Satin O'Marl

    Welcome to TSG! :)

    Please do this:

    Click here to download FindNFix.

    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.

    I will not be back here until around 12 pm EDT. I'll check it out then and give you further directions.
     
  4. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    Hi, thankyou, here it is:

    Wed 11 Aug 04 22:51:11

    »»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»

    *System:
    Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)
    *IE version:
    6.0.2800.1106 SP1-Q823353-Q832894-Q831167-Q867801

    The type of the file system is FAT32.

    __________________________________
    !!*Creating backups...!!

    The operation completed successfully
    __________________________________

    *Local time:
    Wednesday, 11 August 2004 (11/08/2004)
    10:51 PM, Tasmania Standard Time
    *Uptime:
    22:51:12 up 0 days, 5:23:35

    ----------------------------------------------------
    »»Member of...: ("ADMIN" logon + group match required!)

    User is a member of group MY-SILLY-POOTA\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [MY-SILLY-POOTA\Satin O'Marley], is a member of:

    BUILTIN\Administrators
    \Everyone

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    »»»»»»»»»»»»»»»»»»***LOG!***(*updated 8/11)»»»»»»»»»»»»»»»»

    »»»*»»»*Use at your own risk!»»»*»»»*

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»

    »»»»»(*6*)»»»»»

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


    BHO search...

    **File C:\WINDOWS\SYSTEM32\EJGAE.DLL
    000020DC: 25 25 25 30 32 78 00 00 . 00 00 00 00 C0 82 05 B3 %%%02x.. ....À‚.³
    **File C:\WINDOWS\SYSTEM32\IHBFEP.DLL
    00001FF4: 25 25 25 30 32 78 00 00 . 00 00 00 00 C0 82 05 B3 %%%02x.. ....À‚.³


    "C:\WINDOWS\system32\"
    ihbfep.dll 20 Jul 2004 30720 "ihbfep.dll"

    1 item found: 1 file, 0 directories.
    Total of file sizes: 30,720 bytes 30.00 K


    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value Matches
    ________________________________

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access MY-SILLY-POOTA\Satin O'Marley
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access MY-SILLY-POOTA\Satin O'Marley



    »»Performing string scan....
    00001150:C 2 zZ35 C 2
    00001190: zZ35 C 2 vk | AppInit_DLLs '
    000011D0: vk y DeviceNotSelectedTimeout 1 5
    00001210: ( 9 0 Handle vk ' GDIProcessHandle
    00001250:Quotak vk x dlSpooler y e s =t
    00001290: ( X vk | swapdisk vk
    000012D0: utTransmissionRetryTimeout ( X
    00001310: vk ' S USERProcessHandleQuotat
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    AppInit_DLLs'
    --------------
    --------------
    $011C0: AppInit_DLLs
    $011F0: DeviceNotSelectedTimeout
    $01240: GDIProcessHandleQuotak
    $012D6: utTransmissionRetryTimeout
    $01328: USERProcessHandleQuotat
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Ntdll.DLL at 77F50000
    Kernel32.DLL at 77E60000

    ..........
    *Debug...
    --------------
    --------------
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : ""
    0000 00 00 | ..
    -----------------------

    »»»»»»Backups list...»»»»»»
    22:51:48 up 0 days, 5:24:11
    Wed 11 Aug 04 22:51:48


    C:\FINDNFIX\
    keyback.hiv Wed 11 Aug 2004 22:51:12 A.... 8,192 8.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 8,192 bytes 8.00 K

    C:\FINDNFIX\KEYS1\
    winkey.reg Wed 11 Aug 2004 22:51:12 A.... 287 0.28 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 287 bytes 0.28 K

    *Temp backups...

    "C:\Documents and Settings\Satin O'Marley\Local Settings\Temp\Backs2\"
    keyback2.hi_ 11 Aug 2004 8192 "keyback2.hi_"
    winkey2.re_ 11 Aug 2004 287 "winkey2.re_"

    2 items found: 2 files, 0 directories.
    Total of file sizes: 8,479 bytes 8.28 K

    C:\FINDNFIX\
    JUNKXXX Wed 11 Aug 2004 22:51:12 .D... <Dir>

    1 item found: 0 files, 1 directory.

    -----END------
    Wed 11 Aug 04 22:51:49
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi.......ill just jump in here while Mark is away.

    Download and install Registrar Lite.
    http://www.resplendence.com/reglite
    Install, run, copy and paste the BOLD text into reglite's address bar:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


    hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

    ;)
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    That Appinit_DLL info is right there in the FnF log $teve. :confused:

    C 2 zZ35 C 2
    00001190: zZ35 C 2 vk | AppInit_DLLs '
    000011D0: vk y DeviceNotSelectedTimeout 1 5
    00001210: ( 9 0 Handle vk ' GDIProcessHandle
    00001250:Quotak vk x dlSpooler y e s =t
    00001290: ( X vk | swapdisk vk
    000012D0: utTransmissionRetryTimeout ( X
    00001310: vk ' S USERProcessHandleQuotat

    This should be a simple fix with CWShredder, Adaware and HJT.

    Satin O'Marl

    Please do the following:



    Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.



    Go here and download Adaware SE.

    Install the program and launch it.

    1) Run the WebUpdate feature.

    2) Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    3) Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    4) Click on "Scan Now"

    5) Run the scanner using the Full Scan (Perform full system scan) mode.

    6) When the scan is finished have Adaware fix/remove all it finds.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  7. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    Ok then, all done... um, It didn't give to option of fix and/or remove at the end, it just had a next button, and removed them all... hmmm.. oh well...

    Here's my new log file... oh and I have noticed that the little icon I usually use to start up an internet window has vanished (usually in the bottom right of the toolbar)... no great loss though.

    Logfile of HijackThis v1.98.2
    Scan saved at 5:08:23 PM, on 12/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\PC-cillin 2002\pccguide.exe
    C:\Program Files\PC-cillin 2002\PCCClient.exe
    C:\Program Files\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\program files\Telstra\Signup\tbpt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Andrews Stuff\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
    O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.187/winsearchie32.chm::/winsearchie32.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.187/winsearchie32.c...nsearchie32.exe


    Restart your computer.
     
  9. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    Ok, done, here's the latest log... all clear?

    Logfile of HijackThis v1.98.2
    Scan saved at 9:35:29 AM, on 13/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\PC-cillin 2002\pccguide.exe
    C:\Program Files\PC-cillin 2002\PCCClient.exe
    C:\Program Files\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\program files\Telstra\Signup\tbpt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    C:\Program Files\MediaKey v1.00\Versato.exe
    C:\Program Files\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\MediaKey v1.00\MediaPlayer.exe
    C:\Program Files\MediaKey v1.00\OSD.EXE
    C:\Andrews Stuff\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://telstra.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://telstra.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
    O4 - Global Startup: 3Deep.lnk = C:\Program Files\E-Color\3Deep\3Deepctl.exe
    O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
    O4 - Global Startup: MediaKey v1.00.lnk = C:\Program Files\MediaKey v1.00\Versato.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://telstra.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn it back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
     
  12. Satin O'Marl

    Satin O'Marl Thread Starter

    Joined:
    Aug 11, 2004
    Messages:
    6
    All done. Thankyou so much! Much appreciated. :D
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    My pleasure! :)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/260650

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice