Browser hijack from Hell

Discussion in 'adware, spyware & hijack cleaning' started by delvek, May 27, 2004.

Thread Status:
Not open for further replies.
  1. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    ok ... my computer has been taken over and i cant stop it! I have run the following programs ... ace utilities, ad-aware 6.0, spybot search and destroy, spyware guard, cleanmypc - registery cleaner, hijackthis, and cwshredder. I have run all these programs dozens of times in safe mode and not. I have locked my IE homepage dozens of times after doing so spyguard tells me its been changed and no matter how many times i click restore to old page it keeps going. I have been wrestling with this for 2 days and I have had to shutdown the family computer from the kids. I run zone alarm firewall and never had a problem til now. The hijack page is a porn search website. There are two that keep alternating but the main one is called "C:\spad\start.html" but the other one is "http://www.myexexex.com/search.php?said=spagegg=%s". I am at a complete loss on how to fix this and need help badly. I will be checking back often in hopes someone is monitoring and will reply just as quick ... thanks
     
  2. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    Please do this:

    Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    Thank you very much for your response as i have done everything i could understand on website and my computer tech skills lack badly but was able to do this for you so im optomistic. Here is the log you asked for i also have every program that is free on my computer right now i have downloaded any i can find and ran them dozens of times.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:49:55 PM, on 5/27/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\CLEANMYPC\REGISTRY CLEANER\RCSCHEDULER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uncg.edu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
     
  4. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    That's only part of the log. You need to Copy and paste the whole log. We need to see it all.
     
  5. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    that is the whole log ... nothing else on when i click on log but that?
     
  6. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    i clicked on scan ... then save log ... opened it in wordpad ... clicked select all and copy ... then pasted it here ....... is there something missing? if so what do i do to get you the information you need?



    Logfile of HijackThis v1.97.7
    Scan saved at 9:49:55 PM, on 5/27/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\CLEANMYPC\REGISTRY CLEANER\RCSCHEDULER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uncg.edu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
     
  7. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    OK, if you say that's it, then I guss that's it.

    I am attaching an fix.txt file to this post. Download the fix.txt file and save it to your desktop. Open it in notepad and go to File > Save As and save as fix.reg (save as type: 'all files' )
    Doubleclick fix.reg, and answer yes when asked to have its contents added to the Registry.


    Next run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete:

    The c:/spad folder
    The C:\WINDOWS\SYSTEM\HPCMDTY.DLL file
     

    Attached Files:

    • fix.txt
      File size:
      1.1 KB
      Views:
      5
  8. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    thank you very much for reply ... i am doing it now and when i am done i will post the new log and tell you if my homepage is fixed or not.

    thanks
    delvek
     
  9. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    i have a problem i dont have notepad i have wordpad and when i save as i have no choice for 'all files' type.

    is there a place i can download notepad?
     
  10. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    ALL HAIL .... FLRMAN1 the SPYWARE FIGHTER!!!

    Your knowledge and instructions have fixed my problems!

    Thank you very much for your time and energy ...

    Best wishes to you,
    Delvek
     
  11. delvek

    delvek Registered Member

    Joined:
    May 27, 2004
    Posts:
    8
    Re: Browser hijack from Hell (NEW LOG)

    forget to add this to my last post ....

    Logfile of HijackThis v1.97.7
    Scan saved at 11:12:02 PM, on 5/27/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\STARTER.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uncg.edu/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
     
  12. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    Re: Browser hijack from Hell (NEW LOG)

    Clean! :D

    One thing I would suggest is that you get an antivirus ASAP! Here's a good free one:

    http://www.grisoft.com/us/us_dwnl_free.php

    Also Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
Thread Status:
Not open for further replies.