Start Page hijacked, pop ups keep popping need help!

Discussion in 'adware, spyware & hijack cleaning' started by soda1yes, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. soda1yes

    soda1yes Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    1
    A week ago I was infected with something and now I have a startpage that I did not initiate. My AVG antivirus constantly is telling me that I have a Trojan Horse Dialer .8.U and assorted others on my system but when I run a scan nothing will a be detected or it will detect but the problem comes back. I have used Noadware and Spybot Search and Destroy, but all problems come back. I need help please!....Below is my Hijackthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:12:25 PM, on 6/3/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$KELLEYBLUEBOOK\Binn\sqlservr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Richard\Application Data\ouod.exe
    C:\WINDOWS\System32\wcpcc.exe
    C:\Program Files\BLUEBOOK\KARPOWER 2\KBBScheduler.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best.omega-search.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://best.omega-search.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe
    O4 - HKCU\..\Run: [Stet] C:\Documents and Settings\Richard\Application Data\ouod.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe
    O4 - HKCU\..\Run: [MicroAttuneDownload] "C:\Program Files\Aveo\Attune\Updater0\atmdlusr.exe" -run
    O4 - Global Startup: Aveo Attune.lnk = ?
    O4 - Global Startup: Instant Update Reminder.lnk = ?
    O4 - Global Startup: KBBScheduler.lnk = C:\Program Files\BLUEBOOK\KARPOWER 2\KBBScheduler.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.229.34.94/TSWEB/msrdp.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37241.0786689815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_4_0.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12

    Appreciate any help ....
    Thanks
    Soda1yes
     
    soda1yes, Jun 3, 2004
    #1
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Close all browser windows, and tick the boxes next to these items.
    Then choose Fix Selected, and reboot


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best.omega-search.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://best.omega-search.com/

    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe

    O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe

    O4 - HKCU\..\Run: [Stet] C:\Documents and Settings\Richard\Application Data\ouod.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe


    After rebooting, please send these files to submit@diamondcs.com.au
    Then delete them

    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\Program Files\Common Files\svchost.exe
    C:\Documents and Settings\Richard\Application Data\ouod.exe
    C:\WINDOWS\System32\wcpcc.exe
     
    Gavin - DiamondCS, Jun 4, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...