Getting tired of my browser being hijacked

Discussion in 'Windows - Virus and spyware problems' started by johnusn, Jul 26, 2006.

  1. johnusn

    johnusn Guest

    Have tried everything and can't stop my home page from changing:

    Hijackthis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:28:03 PM, on 7/26/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\1147124820\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
    c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\mcafee.com\personal firewall\MPFService.exe
    D:\PROGRA~1\Trend Micro\Internet Security 2006\PcCtlCom.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    D:\PROGRA~1\Trend Micro\Internet Security 2006\Tmntsrv.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
    D:\PROGRA~1\Trend Micro\Internet Security 2006\TmPfw.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1147124820\ee\AOLSoftware.exe
    C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
    C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
    C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
    D:\PROGRA~1\Panicware\Pop-Up Stopper Basic\PSBasic.exe
    D:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\AOL\1147124820\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCEvtHdlr.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    D:\Program Files\America Online 9.0\shellmon.exe
    C:\program files\common files\aol\1147124820\ee\services\sscAntiSpywarePlugin\ver1_205_1_1\AOLSP Scheduler.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    D:\PROGRA~1\Trend Micro\Internet Security 2006\tmproxy.exe
    c:\program files\common files\aol\1147124820\ee\aolssc.exe
    C:\WINNT\explorer.exe
    D:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gophersearch.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home-pogop.jsp?sls=2&site=pogop&lkey=Q3m5iiSEFuLKGMJuCmb30QAAKDw.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINNT\system32\rlmtcs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Program Files\Panicware\Pop-Up Stopper Basic\psbasic.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147124820\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
    O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1147124820\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
    O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
    O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    O4 - HKCU\..\Run: [PopUpStopperBasic] "D:\PROGRA~1\Panicware\Pop-Up Stopper Basic\PSBasic.exe"
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [AOL Fast Start] "D:\Program Files\America Online 9.0\AOL.EXE" -b
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Reader\reader_sl.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
    O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
    O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1147124820\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
    O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
    O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\antivirus\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\Trend Micro\Internet Security 2006\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\Trend Micro\Internet Security 2006\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\Trend Micro\Internet Security 2006\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\Trend Micro\Internet Security 2006\tmproxy.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

    Keeps going to Google...well at least the porn seems to have stopped
     
  2. thugs121

    thugs121 Regular member

    Joined:
    Aug 3, 2004
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    26
    johnusn:

    Download the following software:

    Crap Cleaner: http://majorgeeks.com/download.php?det=4191

    Ewido Anti-Spyware: http://www.ewido.net/en/download/

    Java: http://java.com/en/download/windows_xpi.jsp

    - You Java version is out of date and could be prone to vulnerabilities

    After installing Crap Cleaner (CCleaner), run it and select [bold]Run Cleaner[/bold]. Depending on how much stuff you've accumulated, it could be really fast or might take a few moments...

    After installing (or perhaps during installation), update Ewido for the latest signatures. This program's shareware for 30 days, but it will become the limited, free version after 30 days. Don't worry, as the definition updates are free... We will do a scan later...

    Open up Crap Cleaner, select [bold]Tools[/bold] from the left side. Scroll down list and look for [bold]J2SE Runtime Environment 5.0 Update 6[/bold] (or something similar). After removal (if it prompts you to reboot the computer, go ahead and do so). If not, go ahead and install the udpated version of Java from the link above.

    After all that, go ahead and boot into safe mode. Instructions here: http://www.pchell.com/support/safemode.shtml ...

    After you have successfully booted into safe mode, run Hijack This [bold](Perform a system scan only)[/bold] and place a checkmark for the following entries:

    [bold]
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gophersearch.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home-pogop.jsp?sls=2&site=pogop&lkey=Q3m...

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINNT\system32\rlmtcs.dll

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    [/bold]

    After using Hijack This to remove those, run Ewido (Scanner --> Complete System Scan)

    When Ewido detects something, it may prompt you for an action to do something. You can either [bold]Quarantine[/bold] or [bold]Remove[/bold] it. I would first quarantine it just to be sure.

    After the scan has completes, post a new log using Hijack This and from Ewido...
     

Share This Page