1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus Changing Homepage

Discussion in 'Virus & Other Malware Removal' started by llprovost, Sep 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    My homepage keeps defaulting to a porn webpage. I have Windows XP. I have scanned my computer with Norton, Spysweeper and Ad Aware SE. I cannot get rid of this. Could you help?
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Hello llprovost. Welcome to the TSG

    This is what I suggest you do first.

    Make sure you have the up-to-date versions of Spybot, Ad-Aware SE 1.04 and HijackThis. All are free and available bellow.

    Download Spybot, install and update. Then download Ad-aware, install, and update.

    Spybot:
    Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

    Close ALL windows except Spybot S&D
    Click the button to "Search for Updates" and download and install the Updates.
    Next click the button "Check for Problems"
    When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
    Put a check mark beside the RED (RED) entries ONLY.
    Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

    Ad-Aware FULL SCAN:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Before restart, Empty Recycle Bin.

    Restart your computer.

    Download HijackThis from link in my signature. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet! Someone experienced with the logs will advise you.
     
  3. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    Logfile of HijackThis v1.98.2
    Scan saved at 9:14:01 PM, on 9/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\LORI FLETCHER\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-cfh-andy
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-cfh-andy
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7621039D-911B-1A3D-343B-0F72B58EF21C} - C:\WINDOWS\syskr32.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\LORI FLETCHER\Local Settings\Temp\Ica0K.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [s3U4S] C:\documents and settings\lori fletcher\local settings\temp\s3U4S.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Corel Network monitor worker - {4D5EF745-C490-40BD-B53C-1906B1D97D37} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {4D5EF745-C490-40BD-B53C-1906B1D97D37} - (no file)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  4. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    I suggest you do this: You might want to print this out.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-cfh-andy

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-...k=sbar1_srchbtn

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.media-search.net/nph-...ok=stmpl1&find=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-...k=sbar1_srchbtn

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-...ok=stmpl1&find=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.media-search.net/nph-...ok=stmpl1&find=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-...ok=stmpl1&find=

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-cfh-andy

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {7621039D-911B-1A3D-343B-0F72B58EF21C} - C:\WINDOWS\syskr32.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\LORI FLETCHER\Local Settings\Temp\Ica0K.dll

    O4 - HKLM\..\Run: [Media-Search] "C:\Program Files\msnet\v9\msnet.EXE" /H
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

    O4 - HKLM\..\Run: [s3U4S] C:\documents and settings\lori fletcher\local settings\temp\s3U4S.exe

    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)

    O9 - Extra button: Corel Network monitor worker - {4D5EF745-C490-40BD-B53C-1906B1D97D37} - (no file)

    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {4D5EF745-C490-40BD-B53C-1906B1D97D37} - (no file)

    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=

    Restart in Safe Mode:
    Restart your computer.

    Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these Folders and File if still present

    C:\PROGRA~1\Toolbar <---Delete Folder
    C:\Program Files\msnet <---Delete Folder
    C:\PROGRA~1\NEWDOT~1 <---Delete Folder
    C:\spe <---Delete Folder

    C:\Windows\remove_me.dll <---Delete File


    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Next navigate to the C:\Documents and Settings\(EVERY USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn it back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After cleanup". Click Create and you're done.

    You need to put your HijackThis in a permanent folder. Create a Folder like C:\HJT. Cut / paste the HijackThis.exe you have now.


    Scan again and post a new HJT log.
     
  5. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    Not sure if I did this right but here is my new log...

    Logfile of HijackThis v1.98.2
    Scan saved at 10:49:20 AM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-search.cgi?track=mssb1&look=sbar1_srchbtn
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-search.cgi?track=mssrc&look=stmpl1&find=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  6. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    NewDotNet needs to be removed from add/remove programs.... but you MUST be online to remove it. Run Spybot immediately afterwards just to make sure its gone....

    It also creates a directory in your Windows main folder that I've always had to remove manually....

    I suggest you do this:

    Now run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" On these if they are still there.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.media-search.net/nph-...k=sbar1_srchbtn

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.media-search.net/nph-...ok=stmpl1&find=

    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net

    Restart in Safe Mode:
    Restart your computer.

    Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Next navigate to the C:\Documents and Settings\(EVERY USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn it back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After cleanup". Click Create and you're done.


    Scan again and post a new HJT log.
    __________________
     
  7. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    I followed your instructions but a system restore wizard did not come up. It just asked if I wanted to turn it back on. Thank you so much for your help.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:46:14 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  8. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Log looks good now (y) How's it running?

    Do this:

    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link bellow for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, then click IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

    That will give you an added layer of protection against unwanted parasites.
     
  9. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    It is running fine now! Thank you for all of your help!
     
  10. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Glad we were able to help (y) Spread the word about TSG
     
  11. llprovost

    llprovost Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    7
    I certainly will and I do plan to donate!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271002

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice