IE hijack (find-online.net): problem statement & log

Discussion in 'adware, spyware & hijack cleaning' started by rizzuto, Apr 4, 2004.

Thread Status:
Not open for further replies.
  1. rizzuto

    rizzuto Registered Member

    Joined:
    Apr 4, 2004
    Posts:
    5
    Thanks for your kind help:

    System/Software: Win98, Using Ad-Aware for Step 1.

    Problem: Home page in IE has been switched to the find-online.net site, and links to this site wre placed in my Favorites folder. (My Home page in Netscape has not been changed). I found instances of “find-online” in the registry (for example, in the Start Page, Search Bar, and Search Page of IE) and removed those instances using the Registry Editor, but the bad definitions return when I reboot the system. A search tool that I have finds instances of “find-online.net” in System.dat, User.dat, and ShellIconCache in my /Windows folder.

    HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:14:07 AM, on 4/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDATE.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NOADS\NOADS.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\EVENUMD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\My Documents\Mr Topaz's Links.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
    F1 - win.ini: run=hpfsched
    N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\My Documents\\Mr Topaz's Links.htm"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "C:\\My Documents\\Mr Topaz's Links.htm"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\mb9d3tn2.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\mb9d3tn2.slt\prefs.js)
    O1 - Hosts: 66.40.16.218 auto.search.msn.com
    O1 - Hosts: 66.40.16.227 www.yahoo.org
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\program files\mcafee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\program files\mcafee.com\Agent\mcupdate.exe /embedding
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [EVENUMD] C:\WINDOWS\SYSTEM\EVENUMD.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7507986111
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webworks.webex.com/client/latest/webex/ieatgpc.cab
     
    rizzuto, Apr 4, 2004
    #1
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi rizzuto, welcome aboard :)

    Have only HijackThis running and fix the following :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

    O1 - Hosts: 66.40.16.218 auto.search.msn.com
    O1 - Hosts: 66.40.16.227 www.yahoo.org

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [EVENUMD] C:\WINDOWS\SYSTEM\EVENUMD.exe
    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE
    O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE

    restart the PC after doing so in Safe Mode : Here's How and remove :

    C:\WINDOWS\SUSP.exe <- this file
    C:\WINDOWS\BELT.exe <- this file
    C:\WINDOWS\SYSTEM\EVENUMD.exe <- this file
    C:\WINDOWS\DESKTOP\ATIUPDATE5.EXE <- this file
    C:\WINDOWS\SVCHOST.EXE <- this file

    restart again in normal mode

    Hope this helps

    Cheers,
     
    Unzy, Apr 4, 2004
    #2
  3. rizzuto

    rizzuto Registered Member

    Joined:
    Apr 4, 2004
    Posts:
    5
    Absolutely brilliant, Unzy, your advice plus the s/w tools may have done the job. I see no sign of the home page being hijacked. Thanks for the help.

    I am a bit conecrned about a few files, however. Doing a search for the string “find-online.net”, I see the following in the /Windows folder. Please let me know if you think further action is warranted.

    Thanks again, --Rizzuto


    C:\WINDOWS\USER.DAT
    Offset 0x3a093 - providergogfind-online.net/index.htm
    Offset 0x6837f - Search_stringfind-online.net
    Offset 0x683a8 - Search_string1find-online.net
    Offset 0x6a07e - Search_stringfind-online.net
    Offset 0x6a0a7 - Search_string1find-online.net
    Offset 0x6cb9d - FIND-ONLINE.net.url
    Offset 0x6cf6e - PORN FIND-ONLINE.net.url
    Offset 0x83ee8 - Start Pagefile:///C:/My%20Documents/Mr%20Topaz's%20Links.htmarch Pagehttp://www.find-online.net/index.htm
    Offset 0x83f22 - Search Barhttp://www.find-online.net/sp.htmine.net/sp.htmDebuggeryes
    Offset 0x83f72 - Search Barhttp://www.find-online.net/sp.htmh Asstno=ie&Pver=5.0&Ar=ie5update&O1=b1c
    Found 10 occurrences.

    C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
    Offset 0x50af3 - http://www.find-online.net/index.htm
    Offset 0x50c73 - http://www.find-online.net/style.css
    Offset 0x50df3 - http://www.find-online.net/images/go.gif
    Offset 0x50f73 - http://www.find-online.net/faq.htm
    Offset 0x510f3 - http://www.find-online.net/images/warning.gif
    Found 5 occurrences.
     
    rizzuto, Apr 4, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...