IE hijack (find-online.net): problem statement & log

Discussion in 'adware, spyware & hijack cleaning' started by rizzuto, Apr 4, 2004.

Thread Status:
Not open for further replies.
  1. rizzuto

    rizzuto Registered Member

    Joined:
    Apr 4, 2004
    Posts:
    5
    Thanks for your kind help:

    System/Software: Win98, Using Ad-Aware for Step 1.

    Problem: Home page in IE has been switched to the find-online.net site, and links to this site wre placed in my Favorites folder. (My Home page in Netscape has not been changed). I found instances of “find-online” in the registry (for example, in the Start Page, Search Bar, and Search Page of IE) and removed those instances using the Registry Editor, but the bad definitions return when I reboot the system. A search tool that I have finds instances of “find-online.net” in System.dat, User.dat, and ShellIconCache in my /Windows folder.

    HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:14:07 AM, on 4/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDATE.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NOADS\NOADS.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\EVENUMD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\My Documents\Mr Topaz's Links.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
    F1 - win.ini: run=hpfsched
    N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\My Documents\\Mr Topaz's Links.htm"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "C:\\My Documents\\Mr Topaz's Links.htm"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\mb9d3tn2.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\mb9d3tn2.slt\prefs.js)
    O1 - Hosts: 66.40.16.218 auto.search.msn.com
    O1 - Hosts: 66.40.16.227 www.yahoo.org
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\program files\mcafee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\program files\mcafee.com\Agent\mcupdate.exe /embedding
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [EVENUMD] C:\WINDOWS\SYSTEM\EVENUMD.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7507986111
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webworks.webex.com/client/latest/webex/ieatgpc.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi rizzuto, welcome aboard :)

    Have only HijackThis running and fix the following :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

    O1 - Hosts: 66.40.16.218 auto.search.msn.com
    O1 - Hosts: 66.40.16.227 www.yahoo.org

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [EVENUMD] C:\WINDOWS\SYSTEM\EVENUMD.exe
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE

    restart the PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\SUSP.exe <- this file
    C:\WINDOWS\BELT.exe <- this file
    C:\WINDOWS\SYSTEM\EVENUMD.exe <- this file
    C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE <- this file
    C:\WINDOWS\SVCHOST.EXE <- this file

    restart again in normal mode

    Hope this helps

    Cheers,
     
  3. rizzuto

    rizzuto Registered Member

    Joined:
    Apr 4, 2004
    Posts:
    5
    Absolutely brilliant, Unzy, your advice plus the s/w tools may have done the job. I see no sign of the home page being hijacked. Thanks for the help.

    I am a bit conecrned about a few files, however. Doing a search for the string “find-online.net”, I see the following in the /Windows folder. Please let me know if you think further action is warranted.

    Thanks again, --Rizzuto


    C:\WINDOWS\USER.DAT
    Offset 0x3a093 - providergogfind-online.net/index.htm
    Offset 0x6837f - Search_stringfind-online.net
    Offset 0x683a8 - Search_string1find-online.net
    Offset 0x6a07e - Search_stringfind-online.net
    Offset 0x6a0a7 - Search_string1find-online.net
    Offset 0x6cb9d - FIND-ONLINE.net.url
    Offset 0x6cf6e - PORN FIND-ONLINE.net.url
    Offset 0x83ee8 - Start Pagefile:///C:/My%20Documents/Mr%20Topaz's%20Links.htmarch Pagehttp://www.find-online.net/index.htm
    Offset 0x83f22 - Search Barhttp://www.find-online.net/sp.htmine.net/sp.htmDebuggeryes
    Offset 0x83f72 - Search Barhttp://www.find-online.net/sp.htmh Asstno=ie&Pver=5.0&Ar=ie5update&O1=b1c
    Found 10 occurrences.

    C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
    Offset 0x50af3 - http://www.find-online.net/index.htm
    Offset 0x50c73 - http://www.find-online.net/style.css
    Offset 0x50df3 - http://www.find-online.net/images/go.gif
    Offset 0x50f73 - http://www.find-online.net/faq.htm
    Offset 0x510f3 - http://www.find-online.net/images/warning.gif
    Found 5 occurrences.
     
Thread Status:
Not open for further replies.