 D-oh...I've been Hijacked, A little help with Home search assistant |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Dec 22 2004, 03:28 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 22-December 04 Member No.: 7,650  |
Logfile of HijackThis v1.99.0 Scan saved at 5:58:46 PM, on 12/21/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\TABLET.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FSMA32.EXE C:\PROGRAM FILES\COMCAST\SECURITY MANAGER\APP\AUTHSL.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FSMB32.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FCH32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\GWMDMMSG.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\HPZTSB06.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FSM32.EXE C:\WINDOWS\TEMP\F343.TMP.EXE C:\PROGRAM FILES\COMCAST\SECURITY MANAGER\APP\PRISM.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FNRB32.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FAMEH32.EXE C:\PROGRAM FILES\F-SECURE\BACKWEB\7681197\PROGRAM\BACKWEB-7681197.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FSGK32.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\F-SECURE\COMMON\FIH32.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\F-SECURE\ANTI-VIRUS\FSAV32.EXE C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE C:\VSTASCAN\VSACCESS.EXE C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpiho.dll/sp.html#93256 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpiho.dll/sp.html#93256 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpiho.dll/sp.html#93256 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpiho.dll/sp.html#93256 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R3 - Default URLSearchHook is missing O2 - BHO: Class - {069149E3-74E2-05DC-C3E8-CB7EA196605E} - C:\WINDOWS\SYSTEM\CRIU32.DLL O2 - BHO: (no name) - {E434D3C7-A673-4100-8140-79C020945017} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file) O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APP5160.TMP O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [vm4i36g] MTXNU.EXE O4 - HKLM\..\Run: [F343.TMP] C:\WINDOWS\TEMP\F343.TMP.exe 0 10001 O4 - HKLM\..\Run: [F343.TMP.EXE] C:\WINDOWS\TEMP\F343.TMP.EXE 0 10001 O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe O4 - HKLM\..\Run: [SDKPT32.EXE] C:\WINDOWS\SYSTEM\SDKPT32.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe O4 - HKLM\..\RunServices: [fsaa] C:\Program Files\F-Secure\Common\fsaa.exe O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Program Files\F-Secure\Common\FSMA32.EXE O4 - HKLM\..\RunServices: [CurtainsSysSvc] C:\Program Files\Comcast\Security Manager\app\AuthSL.exe O4 - HKLM\..\RunServices: [MSKR.EXE] C:\WINDOWS\SYSTEM\MSKR.EXE O4 - HKLM\..\RunServices: [NTQJ.EXE] C:\WINDOWS\NTQJ.EXE O4 - HKLM\..\RunServices: [D3BX.EXE] C:\WINDOWS\SYSTEM\D3BX.EXE O4 - HKCU\..\Run: [eDvsRWMpU] SHFHELP.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\winzip\WZQKPICK.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE O4 - Global Startup: FS BackWeb.lnk = C:\Program Files\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.05p.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.scoobidoo.com (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.awmdabest.com (HKLM) O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: 206.161.125.149 (HKLM 
|
 |
 
|
|
Dec 23 2004, 04:19 PM
Post
#2
|
|
 Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Download the attached zip file and unzip it to your desktop.
http://www.mvps.org/winhelp2002/DelDomains.inf Right-click on the deldomains.inf file and select 'Install' Then Download cwshredder 2.12 from here: http://cwshredder.net/bin/CWShredder.exe Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes. When its done run hijackthis again post a new log -------------------- Lawrence
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2008 - 10:54 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.