|
HJT log: Homepage being changed constantlyHi, the homepage of my Internet Explorer keeps being changed into another page. I went to the FAQ and used online and local AV, used ad aware and spybot and the other softwares suggested on FAQ to scan the computer and fixed quite a lot of entries. Here is the HJT log:
Logfile of HijackThis v1.99.0 Scan saved at 23:10:42, on 14/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\WINDOWS\System32\TFNF5.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Apoint2K\Apntex.exe C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28 O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {D1BDCFB6-22F8-4CBF-A080-85675F2466A2} (UEANetTeam.Scanner) - http://netreg.uea.ac.uk/UEANetTeam.CAB O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Anne\Local Settings\Temporary Internet Files\Content.IE5\W96J4HEJ\CWShredder[1].exe O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanz in advance:) |
|
Greg_Z Premium Member join:2001-08-08 Springfield, IL 1 edit |
Greg_Z
Premium Member
2005-Jun-14 6:27 pm
This sticks out O1 - Hosts: 64.91.255.87 www.dcsresearch.com Go here » www.spywareinfo.com/%7Em ··· ads.html download and run HJT 1.99.1, due to yours is out of date. Reboot the computer and run HJT in [SAFE] mode (F5 or F8 should allow you to boot into SAFE mode). Then you will be able to stop the unneed processes and be able to do all the HJT work that will tell you if there is something nasty on your system. » www2.broadbandreports.co ··· faq/8428 |
|
|
Just updated it, here is the log file:
Logfile of HijackThis v1.99.1 Scan saved at 23:45:10, on 14/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28 O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {D1BDCFB6-22F8-4CBF-A080-85675F2466A2} (UEANetTeam.Scanner) - http://netreg.uea.ac.uk/UEANetTeam.CAB O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Anne\Local Settings\Temporary Internet Files\Content.IE5\W96J4HEJ\CWShredder[1].exe (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanz:) |
|
Greg_Z Premium Member join:2001-08-08 Springfield, IL |
to fwankly
I would follow the steps in » www2.broadbandreports.co ··· faq/8428, and as a word for the wise, update WinXP to SP2. |
|
CajunTekInsane Cajun Premium Member join:2003-08-08 Arlington, TX 1 edit |
to fwankly
I see several problems.. some of which would be addressed if you had followed the faq.. I think you need to go back through the faq and see what you missed... Don't update to XP SP2 until you get cleaned up.. Then immediatly do that.. |
|
1 edit
1 recommendation |
to Greg_Z
said by Greg_Z:This sticks out O1 - Hosts: 64.91.255.87 www.dcsresearch.com I agree with the rest of your post but I believe this entry was made by DiamondCS TDS 3 antitrojan software. » tds.diamondcs.com.au/ |
|
|
Hi ppl thanz for all the replies:) But seriously, I did follow the steps in the FAQ, I used my local AV McAfree (the latest version 8.0) first and then the online one (Housecall). And then I scanned with CWShredder and then AboutBuster and then Spybot and then Ad-aware and then TrojanHunter. And then I posted my HJT log here. Can you kindly tell me which problems would have been fixed?
Thanz a lot:) |
|
Greg_Z Premium Member join:2001-08-08 Springfield, IL |
to Anonymous88
I thought that it sounded familiar Anon. If I recall, it sticks it in your Hosts. file. |
|
|
Greg_Z |
to fwankly
You have to do the scans from [SAFE] mode as I stated, or you will never find the problems. Running the scans in Normal mode only allows them to mask themselves.
Go back through the FAQ, run the scans from Safe mode, then zip up your HJT file and post it as a attachment so that we can look at it. |
|
1 edit |
to fwankly
Greg_z,
I don't know where you are getting your information, but I suggest you refrain form posting until you get more training and can post correct information.
The O1 entry you suggested he remove is legitimate as has been mentioned before.
Running HJT in Safe Mode does not show the all the runnibng processes. Often some of these are bad and only shown there. Especially if thye start from a registry location not shown in the HJT log. True, there are a few, and they are in the minority, of entries, mostly HKCU, that only show in Safe Mode. However, and experienced log worker will know to ask for additional registry information, most often by a means other than HJT.
Finally, it is far easier on the workers if the log is posted and not attached. Someone has to download it and then post it.
Its great you want to help, but please post correct information |
|
LoPhatPhuud |
to fwankly
If you use TDS3, then you need the Hosts file entry that was removed. Use the HJT Restore facility to replace it. When you post the HJT log, (and other logs too), please copy and paste them in the thread Do not attach, it just makes more work for us. First:Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. [color=red]Please do not put HiJackThis in a temporary folder, or on the Desktop.[/color] I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine. Check the following items in HiJackThis: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »quickmetasearch.com/?said=acc0000_ho R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »quickmetasearch.com/?said=acc0000_ho
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
Close all open windows except HiJackThis and press 'Fix Checked'. Reboot. Run HiJackThis again and post a new log in this thread. Second:Would you please use HiJackThis to produces startup list and post it here: 1. From HJT main screen, click 'Config' button 2. Click 'Misc Tools' button 3. Check both boxes to the right of 'Generate StartupList Log' button 4. Click 'Generate StartupList Log' button 5. Click 'Yes' in the next dialog 6. Save the log and post a copy in this thread. Last:Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat. regedit /e reginfo.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Im *age File Execution Options" start notepad.exe reginfo.txt exit
(*) WARNING 1 long line(s) split Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad. Copy and paste the contents of that entire file in this thread. |
|
|
Thanz a lot LoPhatPhund, yeah I thought I didn't have to scan my computer in safe mode coz I can't recall seeing that in the FAQ, I did read thru the FAQ many times coz mine and my mum's computer have been infected quite a few times so I am kinda familiar with the process And yeah about this computer, I've asked someone in geekstogo.com and they suggested me to use Ewido Security Suite, Pocket Killbox and a registry file named antivirusgold. And it worked, the computer is working fine now, below is the link to my post on geekstogo.com:) » www.geekstogo.com/forum/ ··· 853.html |
|
Greg_Z Premium Member join:2001-08-08 Springfield, IL |
to fwankly
This will help you fwankly. » www.hijackthis.de/en |
|
|
Those auto-analysis apps are full of false positives, and removal info is dodgy, stick with LoPhat's instructions, your in good hands there, he's an expert HJT tech. |
|
Greg_Z Premium Member join:2001-08-08 Springfield, IL |
Greg_Z
Premium Member
2005-Jun-15 8:12 pm
said by The Advisor:Those auto-analysis apps are full of false positives, and removal info is dodgy, stick with LoPhat's instructions, your in good hands there, he's an expert HJT tech. It actually takes common sense to the fact that HJT does not show everything that can be causing a "HiJack", and due to that you have to go through the Registry to find all of them, and go through the steps. Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem. I understand that the OP may have a working knowledge of knowing what spyware is common in HJT logs, but not everything shows, and that comes from my experience with dealing with computer for over 20+ years. |
|
1 recommendation |
GrezZ: It actually takes common sense to the fact that HJT does not show everything that can be causing a "HiJack", ..... Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem.
I understand that the OP may have a working knowledge of knowing what spyware is common in HJT logs, but not everything shows, and that comes from my experience with dealing with computer for over 20+ years. =========================================
Well no, I don't thnk it takes 'common sense' to know that HJT logs don't show everythng. I have read many a post where supposedly experienced IT professionals are amazed at what can be discerned by its findings, let alone something such as a HJT start up list, or say a Silent Runners log, PVZzip, Service Filter log, or any number of other apps used when diagnosing a difficult hijack. Experience with computing of 20 years does not always relate to spyware infections, as they have not been around quite that long, thats for sure.
I am unsure what you mean when you say: Posting a HJT log in a post makes for a hard time in diagnosing a problem, so using the link that I posted, or attaching the log as a attachment makes it easier to go through and help someone diagnose a problem. In most of the forums, they are pasted directly into the thread, so forgive me if I am missing the intention.
My post was merely to state any user should not rely on such an automated app to fix anything. Sorry if I wasn't more clear in that respect. |
|