homepage hijacked help!!!

Discussion in 'adware, spyware & hijack cleaning' started by mattg4321, May 25, 2004.

Thread Status:
Not open for further replies.
  1. mattg4321

    mattg4321 Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    if someone could have a look at my log and tell me what is wrong it would b great. thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 21:59:08, on 25/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE2K\PLAYCENTER2\CTPLAY2.EXE
    C:\PROGRAM FILES\CREATIVE\MEDIA MANAGER\DBSERVER.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\SPY SWEEP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0836BE63-16C5-4E03-9526-FDA40CD0E00B} - C:\WINDOWS\SYSTEM\JCNBB.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37722.5086342593
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
  3. mattg4321

    mattg4321 Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    StartDreck (build 2.1.5 public BETA) - 2004-05-26 @ 21:03:45
    Platform: Windows ME (Win 4.90.3000 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
    *MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *AIM=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    »RunOnce
    »Default User
    »Run
    *MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
    *MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *AIM=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *DIAGENT=C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
    *UpdReg=C:\WINDOWS\Updreg.exe
    *AHQInit=C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    *AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    *MULTIMEDIA KEYBOARD=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    *WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
    *Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    *Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
    *NAV Agent=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    *LoadQM=loadqm.exe
    *eScorcher=C:\Program Files\eScorcher\eScorcher.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *OmgStartup=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    *Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    *devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
    *Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFCF1C85=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF5A65=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFFBA5=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFFF1E1=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFFC11D=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE7EB5=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    *FFFE9FA1=C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    *FFFED021=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    *FFFEE6B1=C:\WINDOWS\EXPLORER.EXE
    *FFFDFD71=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    *FFFC5F91=C:\WINDOWS\TASKMON.EXE
    *FFFCF775=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFCF519=C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
    *FFFB39D1=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFFB74F1=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    *FFFB93C9=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    *FFFBDEA1=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    *FFFA10A1=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    *FFFA25AD=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    *FFFBCFF5=C:\WINDOWS\LOADQM.EXE
    *FFFAC7C9=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    *FFF9A6B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FA9D8495=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    *FA9E92A1=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FBDDCFD5=C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    *FFFAE681=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FA9F4885=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FBDCB03D=C:\PROGRAM FILES\CREATIVE\SBLIVE2K\PLAYCENTER2\CTPLAY2.EXE
    *FA9E4B21=C:\PROGRAM FILES\CREATIVE\MEDIA MANAGER\DBSERVER.EXE
    *FA9AA691=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FBC0536D=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    *F83EC915=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
    »Application specific
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi mattg4321,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {0836BE63-16C5-4E03-9526-FDA40CD0E00B} - C:\WINDOWS\SYSTEM\JCNBB.DLL

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

    Then reboot and install IE6 SP1 (select your language here: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp 9

    Run a scan with AdAware as dscribed here:
    https://www.wilderssecurity.com/showthread.php?t=15913
    to clean out any remains.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.