dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
773
fwankly
join:2004-12-21
United Kingd

fwankly

Member

HJT log: Homepage being changed constantly

Hi, the homepage of my Internet Explorer keeps being changed into another page. I went to the FAQ and used online and local AV, used ad aware and spybot and the other softwares suggested on FAQ to scan the computer and fixed quite a lot of entries. Here is the HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 23:10:42, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D1BDCFB6-22F8-4CBF-A080-85675F2466A2} (UEANetTeam.Scanner) - http://netreg.uea.ac.uk/UEANetTeam.CAB
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Anne\Local Settings\Temporary Internet Files\Content.IE5\W96J4HEJ\CWShredder[1].exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanz in advance:)

Greg_Z
Premium Member
join:2001-08-08
Springfield, IL

1 edit

Greg_Z

Premium Member

This sticks out O1 - Hosts: 64.91.255.87 www.dcsresearch.com
Go here »www.spywareinfo.com/%7Em ··· ads.html download and run HJT 1.99.1, due to yours is out of date.

Reboot the computer and run HJT in [SAFE] mode (F5 or F8 should allow you to boot into SAFE mode).

Then you will be able to stop the unneed processes and be able to do all the HJT work that will tell you if there is something nasty on your system.

»www2.broadbandreports.co ··· faq/8428
fwankly
join:2004-12-21
United Kingd

fwankly

Member

Just updated it, here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 23:45:10, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D1BDCFB6-22F8-4CBF-A080-85675F2466A2} (UEANetTeam.Scanner) - http://netreg.uea.ac.uk/UEANetTeam.CAB
O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Anne\Local Settings\Temporary Internet Files\Content.IE5\W96J4HEJ\CWShredder[1].exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanz:)

Greg_Z
Premium Member
join:2001-08-08
Springfield, IL

Greg_Z to fwankly

Premium Member

to fwankly
I would follow the steps in »www2.broadbandreports.co ··· faq/8428, and as a word for the wise, update WinXP to SP2.

CajunTek
Insane Cajun
Premium Member
join:2003-08-08
Arlington, TX

1 edit

CajunTek to fwankly

Premium Member

to fwankly
I see several problems.. some of which would be addressed if you had followed the faq.. I think you need to go back through the faq and see what you missed... Don't update to XP SP2 until you get cleaned up.. Then immediatly do that..

Anonymous88
Premium Member
join:2004-06-01
IA

1 edit

1 recommendation

Anonymous88 to Greg_Z

Premium Member

to Greg_Z
said by Greg_Z:

This sticks out O1 - Hosts: 64.91.255.87 www.dcsresearch.com

I agree with the rest of your post but I believe this entry was made by DiamondCS TDS 3 antitrojan software.

»tds.diamondcs.com.au/
fwankly
join:2004-12-21
United Kingd

fwankly

Member

Hi ppl thanz for all the replies:)
But seriously, I did follow the steps in the FAQ, I used my local AV McAfree (the latest version 8.0) first and then the online one (Housecall). And then I scanned with CWShredder and then AboutBuster and then Spybot and then Ad-aware and then TrojanHunter. And then I posted my HJT log here. Can you kindly tell me which problems would have been fixed?

Thanz a lot:)

Greg_Z
Premium Member
join:2001-08-08
Springfield, IL

Greg_Z to Anonymous88

Premium Member

to Anonymous88
I thought that it sounded familiar Anon. If I recall, it sticks it in your Hosts. file.
Greg_Z

Greg_Z to fwankly

Premium Member

to fwankly
You have to do the scans from [SAFE] mode as I stated, or you will never find the problems. Running the scans in Normal mode only allows them to mask themselves.

Go back through the FAQ, run the scans from Safe mode, then zip up your HJT file and post it as a attachment so that we can look at it.

LoPhatPhuud
MVM
join:2002-01-06
Albuquerque, NM

1 edit

LoPhatPhuud to fwankly

MVM

to fwankly
Greg_z,

I don't know where you are getting your information, but I suggest you refrain form posting until you get more training and can post correct information.

The O1 entry you suggested he remove is legitimate as has been mentioned before.

Running HJT in Safe Mode does not show the all the runnibng processes. Often some of these are bad and only shown there. Especially if thye start from a registry location not shown in the HJT log. True, there are a few, and they are in the minority, of entries, mostly HKCU, that only show in Safe Mode. However, and experienced log worker will know to ask for additional registry information, most often by a means other than HJT.

Finally, it is far easier on the workers if the log is posted and not attached. Someone has to download it and then post it.

Its great you want to help, but please post correct information
LoPhatPhuud

LoPhatPhuud to fwankly

MVM

to fwankly
If you use TDS3, then you need the Hosts file entry that was removed. Use the HJT Restore facility to replace it.

When you post the HJT log, (and other logs too), please copy and paste them in the thread Do not attach, it just makes more work for us.

First:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. [color=red]Please do not put HiJackThis in a temporary folder, or on the Desktop.[/color] I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HiJackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »quickmetasearch.com/?said=acc0000_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »quickmetasearch.com/?said=acc0000_ho

O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.

Second:
Would you please use HiJackThis to produces startup list and post it here:
1. From HJT main screen, click 'Config' button
2. Click 'Misc Tools' button
3. Check both boxes to the right of 'Generate StartupList Log' button
4. Click 'Generate StartupList Log' button
5. Click 'Yes' in the next dialog
6. Save the log and post a copy in this thread.

Last:
Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.
regedit /e reginfo.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Im
*age File Execution Options"
start notepad.exe reginfo.txt
exit

(*) WARNING 1 long line(s) split
Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.
fwankly
join:2004-12-21
United Kingd

fwankly

Member

Thanz a lot LoPhatPhund, yeah I thought I didn't have to scan my computer in safe mode coz I can't recall seeing that in the FAQ, I did read thru the FAQ many times coz mine and my mum's computer have been infected quite a few times so I am kinda familiar with the process

And yeah about this computer, I've asked someone in geekstogo.com and they suggested me to use Ewido Security Suite, Pocket Killbox and a registry file named antivirusgold. And it worked, the computer is working fine now, below is the link to my post on geekstogo.com:)

»www.geekstogo.com/forum/ ··· 853.html

Greg_Z
Premium Member
join:2001-08-08
Springfield, IL

Greg_Z to fwankly

Premium Member

to fwankly
This will help you fwankly. »www.hijackthis.de/en
The Advisor
join:2005-06-12
Phoenix, AZ

The Advisor

Member

said by Greg_Z:

This will help you fwankly. »www.hijackthis.de/en
Those auto-analysis apps are full of false positives, and removal info is dodgy, stick with LoPhat's instructions, your in good hands there, he's an expert HJT tech.

Greg_Z
Premium Member
join:2001-08-08
Springfield, IL

Greg_Z

Premium Member

said by The Advisor:
said by Greg_Z:

This will help you fwankly. »www.hijackthis.de/en
Those auto-analysis apps are full of false positives, and removal info is dodgy, stick with LoPhat's instructions, your in good hands there, he's an expert HJT tech.
It actually takes common sense to the fact that HJT does not show everything that can be causing a "HiJack", and due to that you have to go through the Registry to find all of them, and go through the steps.

Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem.

I understand that the OP may have a working knowledge of knowing what spyware is common in HJT logs, but not everything shows, and that comes from my experience with dealing with computer for over 20+ years.
The Advisor
join:2005-06-12
Phoenix, AZ

1 recommendation

The Advisor

Member

GrezZ:
It actually takes common sense to the fact that HJT does not show everything that can be causing a "HiJack", .....
Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem.

I understand that the OP may have a working knowledge of knowing what spyware is common in HJT logs, but not everything shows, and that comes from my experience with dealing with computer for over 20+ years.

=========================================

Well no, I don't thnk it takes 'common sense' to know that HJT logs don't show everythng. I have read many a post where supposedly experienced IT professionals are amazed at what can be discerned by its findings, let alone something such as a HJT start up list, or say a Silent Runners log, PVZzip, Service Filter log, or any number of other apps used when diagnosing a difficult hijack. Experience with computing of 20 years does not always relate to spyware infections, as they have not been around quite that long, thats for sure.

I am unsure what you mean when you say:
Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem.
In most of the forums, they are pasted directly into the thread, so forgive me if I am missing the intention.

My post was merely to state any user should not rely on such an automated app to fix anything. Sorry if I wasn't more clear in that respect.