Homepage Prob.

Discussion in 'adware, spyware & hijack cleaning' started by konin, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. konin

    konin Guest

    i have a homepage problem i think its been hijacked i ran HijackThis and came up with this log can someone please help me, i dont know what to delete
    Logfile of HijackThis v1.97.7
    Scan saved at 5:23:49 PM, on 3/2/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\WINNT\svchost.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\System32\olehelp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\home\Desktop\Jeff's Stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bizonio.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bizonio.com/index.htm
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    O4 - HKLM\..\Run: [SSL] C:\WINNT\svchost.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [olehelp] C:\WINNT\System32\olehelp.exe
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    thanks alot
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Konin :)

    Welcome to Wilders.


    Please download and run CWShredder at this link,

    http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    then post a fresh HijackThis log.



    snowbound
     
  3. konin

    konin Guest

    alright i can CWShedder on it and i now came up with this new log
    Logfile of HijackThis v1.97.7
    Scan saved at 8:29:04 PM, on 3/2/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\home\Desktop\Jeff's Stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bizonio.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bizonio.com/index.htm
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [SSL] C:\WINNT\svchost.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    hope this helps ya out
    thanks
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your log is looking better. :)

    I cannot advise u any further as my HijackThis experience is very limited.

    Just be patient and one of the experts will be along to give u recommendations on the rest of your log.


    Thanks.


    snowbound
     
  5. konin

    konin Guest

    hey snowbound thanks alot it seems to be working now that i used CWShedder on it i rebooted my machine and my original homepage was there so thanks a lot
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your very welcome. :)

    Please check back here though as there could be more things to fix in your log.




    snowbound
     
  7. konin

    konin Guest

    alright thanks ill check back periodically
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    konin,

    I only see one other issue.... Do you knowingly have Wild Tangent installed on your system?
    The entry:
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
    is the updater for Wild Tangent.....
    For more on Wild Tangent http://pestpatrol.com/pestinfo/w/wildtangent.asp.

    Also, I would like to hear an experts opinion on:
    O4 - HKLM\..\Run: [SSL] C:\WINNT\svchost.exe
    I think it needs to be removed, but wait for an expert to come by and confirm....

    HTH....

    Regards,
    Kent
     
  9. Galadriel

    Galadriel Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    34
    Can you post a new log ? There is one thing that definitely should be fixed...

    I want to see if it's still there.
     
  10. konin

    konin Guest

    no i dont knowingly have wildtangent downloaded i dont even really know what it is, and for whoever asked for a new log here it is
    Logfile of HijackThis v1.97.7
    Scan saved at 9:24:07 PM, on 3/2/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\home\Desktop\Jeff's Stuff\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bizonio.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bizonio.com/index.htm
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [SSL] C:\WINNT\svchost.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    one final question my homepage i want set at msn and it is right now, but when it was hijacked it was set at this bizono.com which i saw in there i dont know what that means thanks again guys
     
  11. Galadriel

    Galadriel Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    34
    Hello again,

    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bizonio.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bizonio.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bizonio.com/index.htm

    O4 - HKLM\..\Run: [SSL] C:\WINNT\svchost.exe


    When done, reboot. Then find this file and zip it. Send it to submit@sympatico.ca with a link to this thread please.

    Thank you in advance. And good luck.
     
  12. konin

    konin Guest

    what file do i have to zip and how would i do that sorry i dont really know what im doing thanks
     
  13. Galadriel

    Galadriel Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    34
    oops sorry about that.... lol

    C:\WINNT\svchost.exe

    That is the file... sorry bad bad bad keyboard.... :eek:
     
  14. konin

    konin Guest

    ok i fixed those problems so now everything should be good right? I havent been able to find that svchost, cause i dont even know where to start looking for it much less zip it, so i dont know what you want me to do about
     
  15. Galadriel

    Galadriel Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    34
    OK... the file could be a hidden one. Here's a link on how to unhide hidden folders and files:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Then, once you've done that, just open up "My Computer" by double clicking on it. Then double click on "Local Disk C"...
    Then double click on the "WINNT" folder to enter it. The file is inside that folder.
    You can set the view to details, by clicking on the View menu at the top. That will make sure the files and folders are listed in alphabetical order.
    Look for svchost.exe in there. That is the file I need you to send. If you don't know how to zip it, never mind that. Just send it as is.

    Good luck and hope your problems are done now.
     
  16. Galadriel

    Galadriel Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    34
    I just received your email... The one you sent is not the right file. You sent svchost.dat.... I need svchost.exe.

    But you are doing fine. :)

    We'll get there....
     
Thread Status:
Not open for further replies.