|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
July 20th, 2004, 10:28 PM
|
|||
|
|||
My hompage has been hijacked by my-search please help
I ran hijack this and this is what it gave me please help.
Logfile of HijackThis v1.97.7 Scan saved at 10:26:43 PM, on 7/20/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\BRMFRSMG.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\pwcungur.exe C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE C:\PROGRA~1\Grisoft\AVG6\avgw.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\AIM\aim.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\josh\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = URL R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 81.211.105.69 lender-search.com O1 - Hosts: 81.211.105.68 hot-searches.com O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [MSConfig] E:\Desktop Utilities\msconfig.exe /auto O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ulsio] C:\WINDOWS\pwcungur.exe O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe O4 - HKLM\..\Run: [joaquicro] C:\WINDOWS\System32\qfpguf.exe O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2 O4 - HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: AIM (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - URL O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - URL O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spence.com O17 - HKLM\Software\..\Telephony: DomainName = spence.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spence.com
|
|
#2
July 21st, 2004, 02:55 PM
|
|||
|
|||
|
Hi ofna,
You appear to have items disabled with MSConfig: Go to Start > Run > msconfig > click Startup Tab > everything should have a checkmark to the left of it. Remove Twain-Tech: Click on Start > Settings > Control Panel > Add/Remove Programs > Select twain-tech > Click on Add/Remove Perform an online virus scan at two of the sites listed: Trend Micro Housecall http://housecall.trendmicro.com/ Panda Active Scan www.pandasoftware.com/activescan/activescan Bitdefender http://www.bitdefender.com/scan/licence.php Please update HijackThis, you are using an outdated version: Open HijackThis, click Config > Misc Tools > Check for Update online Or download a copy of version 1.98 at: http://www.majorgeeks.com/download3155.html Post a fresh log with this new version. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
July 21st, 2004, 05:18 PM
|
|||
|
|||
|
Hi Tom,
THanks for helping me. I looked at Msconfig to see if somthing was unchecked but everything was checked. Also i looked for Twain-Tech in and/remove programs and it wasent there. I updated HijackThis and here is my fresh log: Logfile of HijackThis v1.98.0 Scan saved at 5:14:51 PM, on 7/21/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\BRMFRSMG.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\josh\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = URL R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 81.211.105.69 lender-search.com O1 - Hosts: 81.211.105.68 hot-searches.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll O2 - BHO: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [MSConfig] E:\Desktop Utilities\msconfig.exe /auto O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ulsio] C:\WINDOWS\pwcungur.exe O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe O4 - HKLM\..\Run: [joaquicro] C:\WINDOWS\System32\qfpguf.exe O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2 O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Broken Internet access because of LSP provider 'osmim.dll' missing O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - URL O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - URL O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - URL O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spence.com O17 - HKLM\Software\..\Telephony: DomainName = spence.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spence.com O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
|
|
#4
July 22nd, 2004, 06:03 PM
|
|||
|
|||
|
You might want to print these instructions.
Disable System Restore: 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 this will delete all existing restore points. Click Yes to do this. 6 Click OK. Please download and run LSPFix from here: http://cexx.org/LSPFix.exe On the opening screen, click "I know what I'm doing".. Check all instances of "osmim.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. You have a coolwebsearch infection, among other things. Please download CWShredder written by Merijn Bellekom from Here Press "Check for Update" and download any new updates available. Close ALL browser windows or it may not work! Unzip it to a convenient location such as your Desktop and select "Fix" (do not just Scan). It will automatically remove the infections. Remove : TvMedia Click on Start > Settings > Control Panel > Add/Remove Programs > Select TvMedia > Click on Add/Remove Logoff your internet connection.Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message: ARUpdate.exe wast2.exe Zstb.exe Tvm.exe pwcungur.exe qfpguf.exe Please move or unzip HijackThis to a permanent folder such as C:\HJT\HijackThis.exe It is important that it is in it's own folder as it will make important backups of what we will fix. Run HijackThis, close all browsers and any other windows, place a checkmark next to the following items. Click "fix checked". R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://searchcentral.cc/index.php?v=4&aff=2546 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 81.211.105.69 lender-search.com O1 - Hosts: 81.211.105.68 hot-searches.com O2 - BHO: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll O2 - BHO: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2 O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/Ud3rT0n5.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/chedownzip.cab O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll Your computer crashed at one point, this is related to memory dumps. Ok to fix: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k Resource hog that launches common MS Office components to help speed up the launch of Office programs. Ok to fix: O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE If these don't seem to be familiar programs, fix them too. They appear to be random filenames: O4 - HKLM\..\Run: [ulsio] C:\WINDOWS\pwcungur.exe O4 - HKLM\..\Run: [joaquicro] C:\WINDOWS\System32\qfpguf.exe Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Show hidden files: How to Show hidden files and folders. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Delete the following files: C:\WINDOWS\AdRoar.dll C:\WINDOWS\ARUpdate.exe C:\WINDOWS\wast2.exe C:\WINDOWS\System32\xplugin.dll Delete the following folders: C:\Program Files\TV Media\ C:\WINDOWS\nsdb\hosts C:\Program Files\zSearch\ Open My Computer, browse to C:\documents and settings\User Name(repeat for all users)\local settings\temp folder and delete all files and folders in it. Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it. Internet Explorer click Tools > Internet Options > General. Click "Delete Files",also check "delete all offline content" Click OK. Empty your Recycle Bin. Reboot normally. Post a fresh HijackThis log. Tom
|
|
| Viewing: Dev Shed Forums > System Administration > Antivirus Protection > My hompage has been hijacked by my-search please help |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
