Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Homepage Hijacked


  • Please log in to reply
3 replies to this topic

#1 DeadheadDuke

DeadheadDuke

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA, Arizona
  • Local time:11:54 PM

Posted 22 January 2005 - 09:16 AM

I created this log from a neighbor's computer. I am aware that I need to put the program into a folder and run it from there. The homepage for the browser can only be changed temporarily then it automatically returns to a Yahoo home page. If someone sees the problem here please let me know.

Thanks,
Cecil Britton


Logfile of HijackThis v1.99.0
Scan saved at 11:12:32 AM, on 1/20/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\PLUSTEK USA\SCANNER\TBCLASS\BIN\TBMENU.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tucson.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [CPQ BackWeb Monitor] C:\CPQS\TOOLS\BackMon2.exe
O4 - HKLM\..\Run: [DSS] SOFTWARE\Broderbund Software\DSS\AppList\178220
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [Scheduling Agent] C:\windows\system\mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Startup: BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
O4 - Startup: TextBridge Instant Access.lnk = C:\Program Files\Plustek USA\Scanner\TBClass\bin\TBMenu.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Quik - {80BEB560-3FDA-11D5-A635-F0995474E67C} - http://www.quik.com (file missing) (HKCU)

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:54 PM

Posted 23 January 2005 - 03:44 AM

I'll check your neighbor's PC log, DeadheadDuke
It's likely goin' take a day before you get a reply.
I study it, prep a fix and post it for expert scutiny.
Takes time. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:54 PM

Posted 24 January 2005 - 04:00 PM

DeadheadDuke,
I found one entry not good, another useless
and several others that are possibly not needed by your neighbor at startup.

Download & Install System Security Suite
Install this program, look it over, read about it, but don't run it quite yet.

Start-->Run--> type msconfig. (Note: win98 screen differs somewhat from the illustration)
Uncheck C:\COMPAQ\INTERNET\WATCHDOG.EXE some additional information
since it may be what is causing the re-direct to yahoo.
Reboot

Show hidden files.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O9 - Extra button: Quik - {80BEB560-3FDA-11D5-A635-F0995474E67C} - http://www.quik.com (file missing) (HKCU)

Fix Checked button is clicked when you are certain of the deletions.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Scan online for viruses at Bitdefender if you'd like an extra measure of assurance.

Run HijackThis again and post the new log as a reply to this post.
Please include comments.
Would you like to delete optionals, too?
Additional steps may be required before we are completely finished.

Edited by phawgg, 24 January 2005 - 04:04 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#4 DeadheadDuke

DeadheadDuke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA, Arizona
  • Local time:11:54 PM

Posted 30 January 2005 - 09:11 AM

Phawgg. Thanks for the reply and I apologize for being so slow getting back to it. I went through the HJT routine and removed all the possibly offending entries except the one referencing "Quik". That one is put there by the lady's legitimate ISP so I assume it to be okay.

I join you in your enthusism about the MS Security tool. I have already seen good results from it on my own Win 2000 setup. I was under the impression until now that it was only Win 2000 or XP compatible but I will check back on that. If it will work on the 9x variety that will be great.

Since removing the registry entries didn't fix the problem I had come to the conclusion that the problem must be in something running at startup but haven't had the chance to get back to the computer to try disabling the program you mentioned and a couple of others that look suspicious.

Your response was well constructed and intelligent. Thanks again.

Cecil Britton




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users