Hompage hijacked by 69.31.79.106

Discussion in 'adware, spyware & hijack cleaning' started by alessandrocancian, May 27, 2004.

Thread Status:
Not open for further replies.
  1. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    Hallo,
    I had my hompage hijacked by a persistent trojan.
    I scanned with Hijackthis ant this is the log.

    Logfile of HijackThis v1.97.7
    Scan saved at 10.57.26, on 27/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMMI\DAP\DAP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMMI\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMMI\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [VolKey] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [Launch App] c:\DMSINFO\launapp.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
    O4 - HKLM\..\Run: [Gremlin] C:\WINDOWS\SYSTEM\intrenat.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download using Offline &Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_UrlO.htm
    O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_AllO.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Organizzatore ricerche (HKLM)
    O9 - Extra button: SUPER NOVITA' (HKLM)
    O9 - Extra 'Tools' menuitem: Strumento Super Internet (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//nicket/main.chm::/load.exe
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Can anybody help me and tell me which file to fix?

    Please, I am new in this forum.

    Alessandro
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Allessandro,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.106/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.106/search.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.106/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.106/search.php

    O4 - HKLM\..\Run: [Gremlin] C:\WINDOWS\SYSTEM\intrenat.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//nicket/main.chm::/load.exe
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\SYSTEM\intrenat.exe <- this file
    C:\WINDOWS\SYSTEM\winupd.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Update IE at windowsupdate.com asap

    Hope this helps

    Cheers,
     
  3. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    I did it and it works.

    Thanks

    Ale
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    You're welcome :)

    Good job cleaning up

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.