1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

teen-biz

Discussion in 'Virus & Other Malware Removal' started by a320a, Nov 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. a320a

    a320a Thread Starter

    Joined:
    Nov 28, 2003
    Messages:
    2
    hey guys, everytime i start my computer my home page has been changed to teen-biz. also websites have been added to my favourites list. when i shutdown iget a window come up that says Win Min not responding. and sometimes it says NVIDEA twinwindow not responding. I have tried Spy-bot, adaware 6, cwshredder they get things sometimes but when i reboot its all backthere again. i tried Hijack this and this is what i got.
    Logfile of HijackThis v1.97.7
    Scan saved at 2:02:16 PM, on 28/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teen-biz.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://webmail.iprimus.com.au/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
    O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: winlogon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: MoneySide (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C35C3B-3EA8-47DA-BC31-0C3CEF58C439}: NameServer = 203.134.17.90 211.26.25.90

    If you could let me know what to do that would be awesome thanx :)
     
  2. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    Here's the hot tip of the night a320a. Check everything for deletion with the 04 in front of it. Reboot and see if your problem has left. If so, start turning things back on selectively and notice when the problem returns. You do that by running HJT and going to Config > Backups > and selecting to restore the programs one at a time until the trouble returns. Reboot and do full tests after each restore. Expect to lose some enhanced feature items and other tsr's and desirable programs during this period but you can always get them back by running HJT and using the Config > Backups > Restore feature.

    If however stopping all 04 programs didn't help, go back and restore all of them and look for the problem elsewhere.
     
  3. bcoates

    bcoates

    Joined:
    Nov 27, 2003
    Messages:
    2
    NO!!! DONT CHECK IT ALL

    Its a CWS (cool web search) hijack.
    I had this same problem yesterday. Run a search for win min on this forum and go to the topic "Win Min?" - you'll find the offending program is Winlogon.exe which you need to check and remove in hijackthis but you need to do that in SAFE MODE. There is another entry you need to delete but check the last few posts in the above topic to find out how. I think you'll find this'll solve it! I just fixed it last night, to great relief. Quite a few people must be getting this problem. But WHATEVER YOU DO, dont delete any old item from the list, this could screw your computer up.

    Cheers,
    Ben
     
  4. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    bcoates, I can't hardly accept your advice as being valid. I have always had winlogon.exe running on my system and I pretty well suppose all others do too. Mine does not start from the 04 Registry group (Run Key) however so no evil will come from dumping it as I advised, along with all else there.
    That's good advice for normal situations, but when you're troubleshooting a problem, often times some bug has taken over a completely legitimate Windows protected file and fixing that sort of problem can be rather tough. Winlogon.exe is only one such file that is used by these sneaky infections. The key is usually to find all copies and delete them in Safe Mode, then replace them by extracting a clean one from the CD. These gremlins have a way of infecting all copies so deleting only one won't cure the malady since Windows just replaces it by way of its file protection system.

    In closing let me say that on my XP Home system, to troubleshoot any suspicious problem, I check for removal ALL listed items found in HiJackThis log and re-scan. It always comes back with one sinle line, "No suspicious items found." I reboot and the system ALWAYS starts with a "Clean" boot and nothing but the Firewall and Volume Control and Clock in the Systray. I trust that will work for others as well but ymmv.

    Best regards.
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    a320a

    Welcome to TSG! :)


    This entry is not the legitimate winlogon.exe:

    O4 - Global Startup: winlogon.exe

    The legitimate winlogon.exe will only be seen as a running process. It will never be found anywhere else but in the system root directory.

    Run Hijack This again and put a check by these. Close all windows except HijackThis and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teen-biz.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O4 - Global Startup: winlogon.exe

    Restart to safe mode and delete the:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe file

    See here for starting to safe mode:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
     
  6. a320a

    a320a Thread Starter

    Joined:
    Nov 28, 2003
    Messages:
    2
    Thankx flrman1
    Looks like it worked
    I've got ten backup files on my desktop, what do i do with these
    Cheers Mick :)
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    All those bacjup files were created by Hijack This. Each time you remove something with HJT it makes a bakup before removal just in case.

    You can delete those if you wish.

    I suggest that you you create a Hijack This folder and put the HijackThis.exe in that folder. That way the backups will be placed in that folder instead of being scattered on your Desktop.

    Happy Surfing! :D
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/183012

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice