Free Weekly Tech Newsletter

amose · 02-14-2005, 05:10 AM

hi
on this pc ther is somesort of a homepage hijacker.
I tried spybot and adaware in safe mode.
I tried to remove this line from hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://69.50.164.196/ie.html?said=v09
but it returns everytime.
any ideas what else should be removed?
(OS win 98SE)

Logfile of HijackThis v1.99.0
Scan saved at 12:19:43, on 14/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://69.50.164.196/ie.html?said=v09
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://start.traffer.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://69.50.164.196/?said=v09
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = ftp=proxy.huji.ac.il:8080;http=proxy.huji.ac.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.ac.il;*.huji.ac.il;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383}
- C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} -
C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network
Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Framework Service] "C:\Program
Files\Network Associates\Common Framework\FrameworkService.exe"
/ServiceStart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: Download using FlashGet - A:\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O10 - Broken Internet access because of LSP provider
'c:\windows\system\nwws2nds.dll' missing
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object)
- http://www.expedia.com/daily/download/MSSurVid.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) -
http://irc.nana.co.il/Cabs/launcher.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game
Downloader) -
http://www.sonypictures.com/charlies...Downloader.cab
O16 - DPF: {346685E3-C383-11CF-A5A4-00AA00A45705} (ActiveX Control) -
http://imd.gonext.co.il/gonext/zazab...SISActiveX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/is...83/mcfscan.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -
http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) -
http://smartdownloader.com/installer.dll
O16 - DPF: {11010101-1001-1111-1000-110263637096} -
ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni/...m::/d_Main.exe
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) -
http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -
http://www.errorguard.com/installation/Install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://www.bigfishgames.com/online/b...ploader_v6.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = huji.ac.il
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
128.139.6.1,128.139.4.3
O19 - User stylesheet: (file missing)

thanks

**rjfvillarosa** · 02-14-2005, 07:24 AM

I would start by getting rid of these three.
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object)

What antivirus and spyware scanners are you using, do you have a firewall?

***glc*** · 02-14-2005, 01:32 PM

O16 - DPF: {11010101-1001-1111-1000-110263637096} -
ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni...hm::/d_Main.exe
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) -
http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -
http://www.errorguard.com/installation/Install.cab

amose · 02-14-2005, 11:00 PM

thanks i'll try it on thursday.

amose · 02-17-2005, 06:19 AM

it worked!

02-14-2005, 05:10 AM	#1
amose Member (8 bit) Join Date: Nov 2004 Posts: 174	homepage hijacker hi on this pc ther is somesort of a homepage hijacker. I tried spybot and adaware in safe mode. I tried to remove this line from hijackthis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.196/ie.html?said=v09 but it returns everytime. any ideas what else should be removed? (OS win 98SE) Logfile of HijackThis v1.99.0 Scan saved at 12:19:43, on 14/02/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\NOVELL\CLIENT32\NWRECMSG.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.traffer.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.traffer.ru R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.196/ie.html?said=v09 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.traffer.ru R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.164.196/?said=v09 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.huji.ac.il:8080;http=proxy.huji.ac.il:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .ac.il;.huji.ac.il; O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [McAfee Framework Service] "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O8 - Extra context menu item: Download using FlashGet - A:\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O10 - Broken Internet access because of LSP provider 'c:\windows\system\nwws2nds.dll' missing O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.expedia.com/daily/download/MSSurVid.cab O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher.cab O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charlies...Downloader.cab O16 - DPF: {346685E3-C383-11CF-A5A4-00AA00A45705} (ActiveX Control) - http://imd.gonext.co.il/gonext/zazab...SISActiveX.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...83/mcfscan.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll O16 - DPF: {11010101-1001-1111-1000-110263637096} - ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni/...m::/d_Main.exe O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.bigfishgames.com/online/b...ploader_v6.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = huji.ac.il O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.139.6.1,128.139.4.3 O19 - User stylesheet: (file missing) thanks

02-14-2005, 07:24 AM	#2
rjfvillarosa Staff Premium Member Join Date: Sep 2004 Location: Cardiff, Wales. UK Posts: 6,559	I would start by getting rid of these three. O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383 O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) What antivirus and spyware scanners are you using, do you have a firewall? __________________ Niwa no niwa ni wa, niwa no niwatori wa niwaka ni wani o tabeta.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter

02-14-2005, 01:32 PM	#3
*glc* Forum Administrator Staff Premium Member Join Date: May 2000 Location: Joplin MO Posts: 41,180	O16 - DPF: {11010101-1001-1111-1000-110263637096} - ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni...hm::/d_Main.exe O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

02-14-2005, 11:00 PM	#4
amose Member (8 bit) Join Date: Nov 2004 Posts: 174	thanks i'll try it on thursday.

02-17-2005, 06:19 AM	#5
amose Member (8 bit) Join Date: Nov 2004 Posts: 174	it worked!

Subscribe to THE INSIDER

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter