Hijacked- Please Help!

Discussion in 'adware, spyware & hijack cleaning' started by bcool, Nov 25, 2003.

Thread Status:
Not open for further replies.
  1. bcool

    bcool Registered Member

    Joined:
    Nov 25, 2003
    Posts:
    2
    If you could help me figure out what program keeps redirecting my homepage. I've removed everything that has to do with Hand-Book in my hijackthis scan, but it keeps redirecting back. There is something I'm missing. Thanks in advance for your help.




    Logfile of HijackThis v1.97.3
    Scan saved at 8:20:01 PM, on 11/25/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\PROGRAM FILES\PHOENIX TECHNOLOGIES\BAYSWAP\BAYSWAP.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS4\MPTBOX.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\WINDOWS\SYSTEM\MPS.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS4\MPDBMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [BaySwap] C:\Program Files\Phoenix Technologies\BaySwap\BaySwap.exe
    O4 - HKLM\..\Run: [BaySwap2] C:\Program Files\Phoenix Technologies\BaySwap\TbUpdate.exe
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [mps] C:\WINDOWS\SYSTEM\mps.exe /s
    O4 - HKLM\..\Run: [MPTBOX] C:\PROGRA~1\CANON\MULTIP~1\MPTBOX.EXE
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.6534837963
    O19 - User stylesheet: C:\WINDOWS\my.css
    O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi bcool,

    Please download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    That should solve the hijack.
    I'm curious what this is though:
    O4 - HKLM\..\Run: [mps] C:\WINDOWS\SYSTEM\mps.exe /s
    Any ideas?

    Regards,

    Pieter
     
  3. bcool

    bcool Registered Member

    Joined:
    Nov 25, 2003
    Posts:
    2
    hey, pieter

    Thanks for the info,and I have no idea what that could be. Should I delete it?
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    For what its worth, this is the second log I've seen today showing that file and in both there is Canon MultiPass installed. In the other log, however, the mps.exe was not in the autostart but was resident at the time the log was obtained.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi bcool,

    Find the file and check it's properties. If it is something legitimate, like a Canon file, it will say so.
    If that does not clear it up, submit the file for examination at this site:
    http://www.kaspersky.com/remoteviruschk.html

    If that doesn't clear it up feel free to mail it to the adress in my profile and I'll see if I can come up with something.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.