Hijacked! C:/windows/secure and jethomepage.com (hijackthis log enclosed)

Discussion in 'adware, spyware & hijack cleaning' started by grahambrown500, May 6, 2004.

Thread Status:
Not open for further replies.
  1. grahambrown500

    grahambrown500 Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Hi

    I have been hijacked by 2 programmes - jethomepage.com (which brings up a full screen search engine page that is very annoying) and the c:/windows/secure trojan, which sets the standard "the KGB could be watching your computer" homepage that can't be overridden.

    I ran hijackthis and managed to get rid of most of the C:/windows/secure stuff (I think) but the problem persists and Internet Explorer keeps 'performing an illegal operation' and shutting down (sometimes leaving a blank screen so i have to reboot).

    Anyway, here is my current log:

    Logfile of HijackThis v1.97.7
    Scan saved at 18:39:00, on 01/05/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\MY DOCUMENTS\CAROLYN\CAHOOTWEBCARD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.1\MOUSE32A.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SR64\KPNPHAIJ.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Orbiscom - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\SYSTEM\SLIMBHO2.DLL
    O2 - BHO: (no name) - s - (no file)
    O2 - BHO: (no name) - SlimBho2.dll' - (no file)
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [NewsUpd] C:\PROGRAM FILES\CREATIVE\NEWS\NewsUpd.exe /q
    O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.reg
    O4 - HKLM\..\Run: [CahootWebcard] C:\MYDOCU~1\CAROLYN\CahootWebcard.exe /dontopenmycards
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8054.4554166667

    All help will be very much appreciated. :)

    Graham
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\SYSTEM\SR64\KPNPHAIJ.EXE

    Download CWShredder by Merijn Bellekom
    Unzip it sonmewhere you can find it later

    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse. Doublecheck so you don't miss one.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
    O2 - BHO: (no name) - s - (no file)
    O2 - BHO: (no name) - SlimBho2.dll' - (no file)
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
    O4 - HKLM\..\Run: [NewsUpd] C:\PROGRAM FILES\CREATIVE\NEWS\NewsUpd.exe /q
    O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.reg

    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files
    C:\WINDOWS\sp.reg

    Delete the following folder:
    C:\WINDOWS\SYSTEM\SR64\


    Run the CWShredder you unzipped earlier, press 'Fix', and allow it to fix all it finds.

    Reboot to normal mode

    Download Spybot - Search and Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and after SpyBotSD has completed it's scan push the 'Fix checked' button for all that it has automatically selected.

    Get a good online virus scan at HouseCall

    ------ some info
    The SlimBho2.dll BHO was once legit Orbiscom stuff - but appears damaged
    I'd advise you to remove CahootWebcard from your startup as well and start it manually when you need it
    Do NOT delete the C:\WINDOWS\SYSTEM\shdocvw.dll file!!

    ----
    Pieter beat me to it - but gotta have a first post here :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi IMM,

    Welcome aboard. :)

    I noticed the SR64 folder. What is it?

    Regards,

    Pieter
     
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Nothing is for sure -- but i figure its a Proxy.4.M trojan (or close relative)
    I suspect you'll find a serv_u ftp in the folder
     
  6. grahambrown500

    grahambrown500 Registered Member

    Joined:
    May 6, 2004
    Posts:
    2
    Pieter and IMM

    Many thanks for your responses - I will put them into action tonight and post a new log here. :)

    All the best
    Graham
     
Thread Status:
Not open for further replies.