1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] hijacker problems, motor-search

Discussion in 'Virus & Other Malware Removal' started by Bill A., Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Bill A.

    Bill A. Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    3
    Hey Guys-

    I've lurked in here a few times and I'm impressed with what you guys can do. I've got a hijacker problem. My son hit a malicious website and clicked on something and called me on my cellphone to tell me the homepage was "all messed up." Got home, ran Spybot, then Spyhunter, went into Regedit and reset home and search pages, and then rebooted, only to find it all there again. Was hoping Spyhunter would find a memory file I could delete in Safemode, but nothing there. Ran Hijack This and this is my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:07:36 PM, on 4/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UB4N5MB2\hjt[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnews.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cbsnews.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnews.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cbsnews.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    O4 - HKLM\..\RunOnce: [Acme.Clientupgrade] wscript "C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US/vendor/upgradeclient.js" Acme UPGRADE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.panasonic.com
    O15 - Trusted Zone: http://www.reuters.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/ga...gadgets.shortcut.ShortcutGadget/LocalExec.CAB
    O16 - DPF: {46351BD1-D4C1-43AD-B3FA-D8A783128901} (EmzHardwareEnumerator Control) - http://www.ftpemuzed.com/SoftwareUpdates/releases/EmzHardwareEnumerator.ocx
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Any suggestions are appreciated. I know there's probably other files in the register that I should eliminate, but couldn't find anything identifiable.

    Bill A.
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
  3. Bill A.

    Bill A. Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    3
    Thanks a million Buckaroo.
    After a day of trying to track all the garbage down, your two fixer programs just knocked it out in a matter of seconds. Both programs found and destroyed malicious files, and after downloading the suggested Windows updates and rebooting, I held my breath to see if my homepage would appear, and it did. Now I am much better off to have a firewall in place, plus the Adaware searcher added to my other protection programs. What you guys are doing is a HUGE service to us all, and I will gladly make my donation. I encourage others to do so as well, because time (both yours and mine) is money. I have come a long way in understanding my computer's inner file systems, and I'm not afraid to look around in the registry and configuration files, but it's great to have such knowledgable support a click away. Tech support guy will be a permanent bookmark/favorite.
    Thanks again,
    Bill A.
    Athens, GA
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Bill A

    Welcome to TSG! :)

    It woul be a good idea to post one more Hijack This log to be sure all the nasties are gone.
     
  5. Bill A.

    Bill A. Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    3
    Here's the post clean-up hijack this log.
    If you see anything here I should know about, I'll appreciate it.
    There are some new items, but I think they mostly reflect the changes due to security updates. I already noticed one registry file that under "policies" that imposed internet browser restrictions and I went in an removed the value, and for the first time in a long time, I now have unrestricted ability to use internet options to change my home page.
    so, here's the latest log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:53:26 PM, on 4/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ofps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\StartupMonitor.exe
    C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UB4N5MB2\hjt[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnews.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cbsnews.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbsnews.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cbsnews.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.panasonic.com
    O15 - Trusted Zone: http://www.reuters.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1081211018625
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/ga...gadgets.shortcut.ShortcutGadget/LocalExec.CAB
    O16 - DPF: {46351BD1-D4C1-43AD-B3FA-D8A783128901} (EmzHardwareEnumerator Control) - http://www.ftpemuzed.com/SoftwareUpdates/releases/EmzHardwareEnumerator.ocx
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)
     
  7. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Bill A.

    You're welcome and thanks for the kind words. (y)

    :)
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Solved] hijacker problems
  1. bj nick
    Replies:
    0
    Views:
    150
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217405

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice