Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HOME PAGE


  • Please log in to reply
5 replies to this topic

#1 vidyaraj

vidyaraj

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 13 November 2004 - 08:32 AM

Dear friends one new site occupied my IE Home page which is "mk:@MSITStore:C:\spe\start.chm::/start.html#" "www.heretofind.com/show.php?id=15&q" please help me to remove

hyjack scan given below plaese tell me which should remove
thank you
vidyaraj..


Logfile of HijackThis v1.98.2
Scan saved at 5:09:48 AM, on
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\ARMOR2NET.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\APPLICATION DATA\PAEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL (disabled by BHODemon)
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\POPUPKILLER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YCOMP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [ARMOR2NET] C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\Armor2net.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Uhrw] C:\WINDOWS\Application Data\paec.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

BC AdBot (Login to Remove)

 


#2 Submit2s

Submit2s

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA-Missouri
  • Local time:10:45 AM

Posted 13 November 2004 - 09:18 AM

***post removed***

Edited by groovicus, 13 November 2004 - 11:30 AM.

"We are what we think, All that we are arises in our thoughts; with our thoughts, we make the world. You can make your world or break your world by your thinking." Buddha~

#3 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:45 AM

Posted 13 November 2004 - 11:46 AM

[edited]

vidyaraj please do not act on it until an Administrator, Moderator or member of the HJT Team posts to your Topic

Edited by cryo, 13 November 2004 - 11:47 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:45 AM

Posted 13 November 2004 - 05:30 PM

Hi

Please uninstall this program from Add\Remove Programs (Start --> Control Panel --> Add\Remove Programs)
Wndows Syncroad or WindUpdates

It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#

O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKCU\..\Run: [Uhrw] C:\WINDOWS\Application Data\paec.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C4F8368-ECA2-495E-8E53-28D8E1E45B28} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\Application Data\paec.exe <-- this file

Delete these folders:
C:\spe\ <-- this file
C:\PROGRAM FILES\WINDOWS SYNCROAD\ <-- this file

Empty the Recycle Bin.

REBOOT normally.

Run HijackThis! again and post a new log.

Are you using two firewalls ? Symantec and armor2net personal firewall ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 vidyaraj

vidyaraj
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 14 November 2004 - 08:10 AM

Thank you so much

problem rectified

thank you


vidyaraj

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:45 AM

Posted 14 November 2004 - 08:13 AM

vidyaraj please post a fresh HJT log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users