Hompage hijacked by 69.31.79.106

Discussion in 'adware, spyware & hijack cleaning' started by alessandrocancian, May 27, 2004.

Thread Status:
Not open for further replies.
  1. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    Hallo,
    I had my hompage hijacked by a persistent trojan.
    I scanned with Hijackthis ant this is the log.

    Logfile of HijackThis v1.97.7
    Scan saved at 10.57.26, on 27/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMMI\DAP\DAP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMMI\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMMI\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [VolKey] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [Launch App] c:\DMSINFO\launapp.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
    O4 - HKLM\..\Run: [Gremlin] C:\WINDOWS\SYSTEM\intrenat.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download using Offline &Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_UrlO.htm
    O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_AllO.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Organizzatore ricerche (HKLM)
    O9 - Extra button: SUPER NOVITA' (HKLM)
    O9 - Extra 'Tools' menuitem: Strumento Super Internet (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//nicket/main.chm::/load.exe
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Can anybody help me and tell me which file to fix?

    Please, I am new in this forum.

    Alessandro
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Allessandro,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php

    O4 - HKLM\..\Run: [Gremlin] C:\WINDOWS\SYSTEM\intrenat.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//nicket/main.chm::/load.exe
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\SYSTEM\intrenat.exe <- this file
    C:\WINDOWS\SYSTEM\winupd.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Update IE at windowsupdate.com asap

    Hope this helps

    Cheers,
     
  3. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    I did it and it works.

    Thanks

    Ale
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    You're welcome :)

    Good job cleaning up

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.