homepage hijacked help!!!

Discussion in 'adware, spyware & hijack cleaning' started by mattg4321, May 25, 2004.

Thread Status:
Not open for further replies.
  1. mattg4321

    mattg4321 Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    if someone could have a look at my log and tell me what is wrong it would b great. thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 21:59:08, on 25/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE2K\PLAYCENTER2\CTPLAY2.EXE
    C:\PROGRAM FILES\CREATIVE\MEDIA MANAGER\DBSERVER.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\SPY SWEEP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0836BE63-16C5-4E03-9526-FDA40CD0E00B} - C:\WINDOWS\SYSTEM\JCNBB.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37722.5086342593
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. mattg4321

    mattg4321 Registered Member

    Joined:
    May 11, 2004
    Posts:
    5
    StartDreck (build 2.1.5 public BETA) - 2004-05-26 @ 21:03:45
    Platform: Windows ME (Win 4.90.3000 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
    *MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *AIM=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    »RunOnce
    »Default User
    »Run
    *MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
    *MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    *AIM=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *DIAGENT=C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
    *UpdReg=C:\WINDOWS\Updreg.exe
    *AHQInit=C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    *AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    *MULTIMEDIA KEYBOARD=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    *WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
    *Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    *Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
    *NAV Agent=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    *LoadQM=loadqm.exe
    *eScorcher=C:\Program Files\eScorcher\eScorcher.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *OmgStartup=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    *Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    *devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
    *Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFCF1C85=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF5A65=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFFBA5=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFFF1E1=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFFC11D=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE7EB5=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    *FFFE9FA1=C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    *FFFED021=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    *FFFEE6B1=C:\WINDOWS\EXPLORER.EXE
    *FFFDFD71=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    *FFFC5F91=C:\WINDOWS\TASKMON.EXE
    *FFFCF775=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFCF519=C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
    *FFFB39D1=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFFB74F1=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    *FFFB93C9=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    *FFFBDEA1=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    *FFFA10A1=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    *FFFA25AD=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    *FFFBCFF5=C:\WINDOWS\LOADQM.EXE
    *FFFAC7C9=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    *FFF9A6B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FA9D8495=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    *FA9E92A1=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FBDDCFD5=C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    *FFFAE681=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FA9F4885=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FBDCB03D=C:\PROGRAM FILES\CREATIVE\SBLIVE2K\PLAYCENTER2\CTPLAY2.EXE
    *FA9E4B21=C:\PROGRAM FILES\CREATIVE\MEDIA MANAGER\DBSERVER.EXE
    *FA9AA691=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FBC0536D=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    *F83EC915=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
    »Application specific
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mattg4321,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JCNBB.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {0836BE63-16C5-4E03-9526-FDA40CD0E00B} - C:\WINDOWS\SYSTEM\JCNBB.DLL

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

    Then reboot and install IE6 SP1 (select your language here: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp 9

    Run a scan with AdAware as dscribed here:
    https://www.wilderssecurity.com/showthread.php?t=15913
    to clean out any remains.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.