Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91911 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

browser Hijack - HJT file here for your help


  • This topic is locked This topic is locked
4 replies to this topic

#1 CDWangs

CDWangs

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 09 November 2005 - 01:26 PM

Hello! My browser is continually popping up with 69.50.164.197 as the home page, and will not stay on the one I want it to be. I have enclosed the Hijack this log file here. Could someone please tell me what I should do to remove it? I've tried Spybot, AdAware, etc... nothing seems to remove it. Windows 98 machine.

Thank you!

-Mark Lyons

HJT log file follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:20:23 PM, on 11/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVINIT9X.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\DVPRPT.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\SCHSC9X.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\PROGRAM FILES\PRINTKEY20\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\RMCLIENT\PMCTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.197/ie.html?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.164.197/?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.211.30.13:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avinit] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\COMMAN~1\COMMAN~1\CUAGENT.EXE
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE
O4 - HKLM\..\Run: [AVSchedScan] C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\SYSTEM\system32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\wbem\winmgmt.exe
O4 - HKLM\..\RunServices: [MicrosoftWBEMCIMObjectManager] C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Shortcut to PrintKey20.exe.lnk = C:\Program Files\printkey20\PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 15 November 2005 - 04:34 PM

Hello CDWangs, welcome to the forum. Sorry about the delay in responding :( If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 CDWangs

CDWangs

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 16 November 2005 - 03:40 PM

Thank you for getting back in touch with me. I also haven't heard about any available classes yet. I'd love to learn how to do this...

Here is the scan as of just a minute ago:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:57 PM, on 11/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVINIT9X.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\DVPRPT.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\SCHSC9X.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\PROGRAM FILES\PRINTKEY20\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\RMCLIENT\PMCTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
J:\AMWSQL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.197/ie.html?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.164.197/?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.211.30.13:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avinit] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\COMMAN~1\COMMAN~1\CUAGENT.EXE
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE
O4 - HKLM\..\Run: [AVSchedScan] C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\SYSTEM\system32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\wbem\winmgmt.exe
O4 - HKLM\..\RunServices: [MicrosoftWBEMCIMObjectManager] C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Shortcut to PrintKey20.exe.lnk = C:\Program Files\printkey20\PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 16 November 2005 - 04:54 PM

Here's the link to join the classroom.
http://forums.tomcoy...?showtopic=1421


This is what I suggest you do.


Please do not delete anything unless instructed to.



Download CWShredder from my signature below. Unzip it on the desktop.
Open CWShredder and with ALL other windows closed, click fix.


Go here and run at least one of the online scans, allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Next:

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.



Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 01 December 2005 - 04:16 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users