Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT-BlueStar


  • This topic is locked This topic is locked
6 replies to this topic

#1 BlueStar

BlueStar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 17 October 2004 - 03:01 PM

Homepage hijacked to "http://my-searcher.com/index.htm". I have tried Spybot, Ad-Aware, Spyware doctor, CWShredder, problem still there. Thank you for your help!

Here is the Log:

Logfile of HijackThis v1.98.2
Scan saved at 3:42:50 PM, on 10/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\!sunv\dfyd\AutoP.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lavasoft\Spyware Doctor\spydoctor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Happy\Desktop\Spyware Remve\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CAE05C12-C151-11D4-9B88-0000B4C2C1C0} - C:\WINDOWS\System32\regsvr32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Autop] C:\Program Files\!sunv\dfyd\AutoP.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP6100b] C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Lavasoft\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Shortcut to IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097977278832
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

BC AdBot (Login to Remove)

 


#2 BlueStar

BlueStar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 18 October 2004 - 12:27 PM

Anybody saw problem in this log? Thanks in advance!

#3 'KotaGuy

'KotaGuy

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 18 October 2004 - 12:39 PM

Hi BlueStar, welcome to BleepingComputer!

I'll be analyzing your log and will get back to you as soon as I can.

Thanks!

#4 'KotaGuy

'KotaGuy

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 18 October 2004 - 02:16 PM

Hi BlueStar!

Just a couple questions before I formulate a fix for you.

Do you have an Anti-Virus program installed on your computer, or network if this is a work computer? I don't see any of the usual entries I'd usually see if there was some form of Anti-Virus protection.

Also do you recognize the active process C:\Program Files\!sunv\dfyd\AutoP.exe or the folders(C:\..\!sunv\dfyd) it is in? I was unable to find any information on it and don't want to end up "fixing" something I shouldn't.

Do you know about this active process C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe?

Thanks!

#5 BlueStar

BlueStar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 18 October 2004 - 04:50 PM

Hi, 'KotaGuy,

Thank you for your reply. This is my home PC, no anti-virus software. Dial-up through ISP.

I have no idea what these two processes are. I'll see if I can find something more about them tonight when I back home.

Thanks a lot!

#6 BlueStar

BlueStar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 18 October 2004 - 07:18 PM

'KotaGuy,

I just found that C:\Program Files\!sunv\dfyd\AutoP.exe is the VCD/DVD player.
The other process, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe, looks very suspicious, so I renamed the exe file, moved it out of Startup directory, changed my homepage setting and reboot PC.

Guess what? Problem solved! Really appreciate you pointed it out.

#7 'KotaGuy

'KotaGuy

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 19 October 2004 - 07:05 PM

OK! Just have a little bit to clean up.

First... you mentioned no Anti-Virus. You should have some form of Anti-Virus Protection for your computer. Please download and install AVG Anti-Virus Free Edition. Make sure to update the program and its definition files.

Now, you stated you moved and renamed winlgn.exe... do you remember where? If you do, could you please zip it up and send it here

Please make sure no files are hidden.

1. Open My Computer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the Hidden files and folders heading select Show hidden files and folders.
5. Uncheck the Hide protected operating system files (recommended) option.
6. Click Yes to confirm.
7. Click OK.

I need you to copy this file C:\WINDOWS\System32\regsvr32.exe to a different folder, some place that you will remember where it is as I will have you move it back to its original folder later.

Now, run and scan with HijackThis. With all other browsers and windows closed place a check beside the following and fix:

O2 - BHO: (no name) - {CAE05C12-C151-11D4-9B88-0000B4C2C1C0} - C:\WINDOWS\System32\regsvr32.exe
O4 - Global Startup: winlgn.exe


This line: O4 - Startup: Shortcut to IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE seems suspicious. It basically autostarts Internet Explorer as soon as the computer boots up. If you have not set Internet Explorer to autostart, fix the line as well.

Move regsvr32.exe back to the C:\WINDOWS\System32 folder.

Boot into Safe Mode. To do this, tap the F8 button as your computer restarts. This will bring you to and Advanced Options menu. Choose Safe Mode and hit Enter.

Once in safe mode, delete the winlgn.exe file you renamed and moved.

Reboot Windows normally, and with only HijackThis running, scan and post the new log.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users