1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trying to remove a hijacker from XP SP2

Discussion in 'Virus & Other Malware Removal' started by deanepotter, Sep 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. deanepotter

    deanepotter Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    2
    I've read some of the threads and installed and ran HJT. The amount of time that I have spent on this is just silly. Can you provide some direction on removing the hijacker? As you can see, the startup list is significantly reduced. The R0 and R1 entries are the hijacker. What program is generating these entries? I have removed them many times only for them to come back.

    Logfile of HijackThis v1.98.2
    Scan saved at 3:29:26 AM, on 9/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\AntiSpyWare\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.biltmorebaptist.org/templates/cusbiltmorebc/default.asp?id=26109
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094788020729
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O19 - User stylesheet: (file missing)
    O21 - SSODL: System - {DA6046FE-9E3D-40D1-B6F7-5017A36AAABD} - C:\WINDOWS\system32\system32.dll

    Thanks.
    Deane
     
    deanepotter, Sep 10, 2004
    #1
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download CW Shredder:
    http://www.dotcomsecurity.org/downloads/CWShredder.exe
    Open and hit the ->fix tab to fix all found problems

    Then rescan with hijack, insert a check next to the following followed by closing all browser windows and clicking "fix checked"


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php


    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

    O19 - User stylesheet: (file missing)

    O21 - SSODL: System - {DA6046FE-9E3D-40D1-B6F7-5017A36AAABD} - C:\WINDOWS\system32\system32.dll


    Then reboot, rescan again with hijack then post a fresh logfile.
     
    mobo, Sep 10, 2004
    #2
  3. deanepotter

    deanepotter Thread Starter

    Joined:
    Sep 10, 2004
    Messages:
    2
    Thanks mobo for the info. I booted and immediately ran the scan. Checked the items you listed and hit Fix. The items were removed. However, the hj is still there somewhere. During the fix, an error occurred. It is listed first before the scan log. I closed HT and then reopened it and the R0 and R1 entries came back.


    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: System - {DA6046FE-9E3D-40D1-B6F7-5017A36AAABD} - C:\WINDOWS\system32\system32.dll)
    Error #62 - Input past end of file

    Please email me at [email protected], reporting the following:
    * What you were doing when the error occurred
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2900.2180
    HijackThis version: 1.98.2


    Logfile of HijackThis v1.98.2
    Scan saved at 9:39:18 AM, on 9/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\AntiSpyWare\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.biltmorebaptist.org/templates/cusbiltmorebc/default.asp?id=26109
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094788020729
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab




    This message has been copied to your clipboard.
     
    deanepotter, Sep 10, 2004
    #3
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download the tool about:Buster created by Rubber Ducky. http://www.downloads.subratam.org/AboutBuster.zip

    Unzip AboutBuster to the Desktop and have it ready to run, but don't run it yet.

    Now sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php



    Next run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer and post the report from AboutBuster and a new Hijack this log.
     
    mobo, Sep 10, 2004
    #4
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Trying remove hijacker
  1. TheSuccMaster

    In Progress I have Adware on my computer how do I remove it?

    TheSuccMaster, Nov 1, 2019, in forum: Virus & Other Malware Removal
    Replies:
    1
    Views:
    487
    iMacg3
    Nov 1, 2019
  2. Sunfire03

    In Progress How do I remove win tonic from my computer?

    Sunfire03, Sep 22, 2019, in forum: Virus & Other Malware Removal
    Replies:
    1
    Views:
    424
    iMacg3
    Sep 22, 2019
  3. besthomefurniturebrands

    New How to remove the virus from WinRar file?

    besthomefurniturebrands, Jun 28, 2019, in forum: Virus & Other Malware Removal
    Replies:
    0
    Views:
    643
    besthomefurniturebrands
    Jun 28, 2019
  4. sarjil

    New How do i remove this IE4Data from my PC ?

    sarjil, Mar 23, 2019, in forum: Virus & Other Malware Removal
    Replies:
    0
    Views:
    668
    sarjil
    Mar 23, 2019
  5. Moizen94

    In Progress askpartnernetwork found virus, won't remove virus

    Moizen94, Feb 19, 2019, in forum: Virus & Other Malware Removal
    Replies:
    5
    Views:
    775
    iMacg3
    Feb 21, 2019
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272321

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice