#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    5
    Rep Power
    0

    Hijacked home page


    use IE with Windows XP. My normal home page has been hijacked with a message bar reading "about:blank" and a website directory showing up.
    I have used Internet Options to "delete history" and also I have loaded my normal home page then "use current" to change to my normal home page. When I re-load IE it goes back to the rogue website. I have run HijackThis, Pest Patrol and Spycatcher but still have the same problem.
    What would happen if I took the log from HijackThis and deleted eveything that's in it............?
    Last edited by broxie; May 20th, 2004 at 05:34 PM. Reason: other thought
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    20
    Your computer would probably not run very well as most of the items in HJT are required for your system to run properly. Post a log so we can see what's going on.

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    5
    Rep Power
    0

    Hijacked home page


    Logfile of HijackThis v1.97.7
    Scan saved at 7:42:56 PM, on 5/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\U.S. Robotics\SureConnect ADSL Modem\SureConnect ADSL Utility\USRSureConnect.exe
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\William Storie\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\William Storie\Application Data\Mozilla\Profiles\default\4gpilwe3.slt\prefs.js)
    O1 - Hosts: 216.73.89.11 explore1.llbean.com
    O1 - Hosts: 209.185.162.204 i.ivillage.co.uk
    O1 - Hosts: 209.185.162.149 ivillage.co.uk
    O1 - Hosts: 64.49.221.121 livescore.com
    O1 - Hosts: 212.58.240.145 news.bbc.co.uk
    O1 - Hosts: 192.0.34.129 reports.internic.net
    O1 - Hosts: 207.46.156.60 v4.windowsupdate.microsoft.com
    O1 - Hosts: 69.20.54.171 vivisimo.com
    O1 - Hosts: 207.46.249.57 windowsupdate.microsoft.com
    O1 - Hosts: 80.5.176.102 world.rangers.premiumtv.co.uk
    O1 - Hosts: 65.77.217.160 www.1234-find-web-designers.org
    O1 - Hosts: 207.44.176.88 www.2-freespywareremoval.com
    O1 - Hosts: 217.154.146.33 www.accountingeducation.com
    O1 - Hosts: 192.150.18.60 www.adobe.com
    O1 - Hosts: 65.242.185.67 www.aicpa.org
    O1 - Hosts: 207.171.166.149 www.amazon.co.uk
    O1 - Hosts: 207.171.163.90 www.amazon.com
    O1 - Hosts: 216.22.0.2 www.askmen.com
    O1 - Hosts: 66.111.44.182 www.basictgp.com
    O1 - Hosts: 12.107.161.210 www.bdo.com
    O1 - Hosts: 66.102.130.21 www.bermuda.e-moo.com
    O1 - Hosts: 64.207.134.91 www.bermynet.com
    O1 - Hosts: 64.62.149.102 www.biopet.com
    O1 - Hosts: 4.38.75.43 www.bydesign.com
    O1 - Hosts: 64.94.191.3 www.cfo.com
    O1 - Hosts: 155.201.224.39 www.cfodirect.com
    O1 - Hosts: 64.236.24.12 www.cnn.com
    O1 - Hosts: 66.2.87.13 www.copyleft.net
    O1 - Hosts: 63.240.15.209 www.corel.com
    O1 - Hosts: 216.254.0.118 www.cpeonline.com
    O1 - Hosts: 194.159.245.16 www.cummings.demon.co.uk
    O1 - Hosts: 69.57.156.225 www.cybertechhelp.com
    O1 - Hosts: 192.216.159.159 www.dineoutfreetoday.com
    O1 - Hosts: 66.98.154.60 www.enigmasoftwaregroup.com
    O1 - Hosts: 128.6.72.72 www.fasb.org
    O1 - Hosts: 209.51.177.22 www.foxsportsworld.com
    O1 - Hosts: 216.239.41.104 www.google.com
    O1 - Hosts: 143.231.86.196 www.house.gov
    O1 - Hosts: 202.85.125.77 www.iasplus.com
    O1 - Hosts: 192.0.34.163 www.icann.org
    O1 - Hosts: 192.0.34.161 www.internic.com
    O1 - Hosts: 65.126.254.23 www.llbean.com
    O1 - Hosts: 216.74.165.68 www.marthastewart.com
    O1 - Hosts: 217.199.166.5 www.medicdirect.co.uk
    O1 - Hosts: 207.46.144.222 www.microsoft.com
    O1 - Hosts: 206.151.164.31 www.oldnavy.com
    O1 - Hosts: 207.44.246.74 www.portmeirion.co.uk
    O1 - Hosts: 80.5.176.140 www.rangers.premiumtv.co.uk
    O1 - Hosts: 65.205.249.60 www.verisign.com
    O1 - Hosts: 208.234.17.105 www.vetinfo.com
    O1 - Hosts: 63.123.46.33 www.victoriassecret.com
    O1 - Hosts: 199.172.192.172 www.weather.bm
    O1 - Hosts: 192.220.116.222 www.webcom.com
    O1 - Hosts: 192.220.116.62 www.wrsl.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7FF08339-888E-4489-A055-BE72F8FD0CC4} - C:\WINDOWS\mrhop.dll
    O2 - BHO: (no name) - {A8169881-0639-4E54-B1B1-3D55787CE5D3} - C:\WINDOWS\System32\inetcbfg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRA~1\PESTPA~1\ppclean.exe" clean ts:20040520182753484 cws 2 2 2
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload Plus.lnk = C:\Program Files\Real\RealDownload\RealDownload.exe
    O4 - Global Startup: U.S. Robotics SureConnect ADSL Utility.lnk = ?
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/tech...upportutil.CAB
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17B95F96-6BAB-4660-933A-9CBC9CC514C3}: NameServer = 199.172.192.3 199.172.192.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17B95F96-6BAB-4660-933A-9CBC9CC514C3}: NameServer = 199.172.192.3 199.172.192.4
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    20
    Trying to play catch-up here. If you still have the problem, let's start with this:

    Download this file from http://downloads.subratam.org/dllfix.exe .

    Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.
    Post that log here.

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!

IMN logo majestic logo threadwatch logo seochat tools logo