Start Page hijacked, pop ups keep popping need help!

Discussion in 'adware, spyware & hijack cleaning' started by soda1yes, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. soda1yes

    soda1yes Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    1
    A week ago I was infected with something and now I have a startpage that I did not initiate. My AVG antivirus constantly is telling me that I have a Trojan Horse Dialer .8.U and assorted others on my system but when I run a scan nothing will a be detected or it will detect but the problem comes back. I have used Noadware and Spybot Search and Destroy, but all problems come back. I need help please!....Below is my Hijackthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:12:25 PM, on 6/3/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$KELLEYBLUEBOOK\Binn\sqlservr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Richard\Application Data\ouod.exe
    C:\WINDOWS\System32\wcpcc.exe
    C:\Program Files\BLUEBOOK\KARPOWER 2\KBBScheduler.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best.omega-search.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://best.omega-search.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe
    O4 - HKCU\..\Run: [Stet] C:\Documents and Settings\Richard\Application Data\ouod.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe
    O4 - HKCU\..\Run: [MicroAttuneDownload] "C:\Program Files\Aveo\Attune\Updater0\atmdlusr.exe" -run
    O4 - Global Startup: Aveo Attune.lnk = ?
    O4 - Global Startup: Instant Update Reminder.lnk = ?
    O4 - Global Startup: KBBScheduler.lnk = C:\Program Files\BLUEBOOK\KARPOWER 2\KBBScheduler.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://66.229.34.94/TSWEB/msrdp.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37241.0786689815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_4_0.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2A3CE2B6-1A56-4C3B-B2AF-DC133058FFBF}: NameServer = 64.169.140.6,206.13.28.12

    Appreciate any help ....
    Thanks
    Soda1yes
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Close all browser windows, and tick the boxes next to these items.
    Then choose Fix Selected, and reboot


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best.omega-search.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://best.omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://best.omega-search.com/

    O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe

    O4 - HKCU\..\Run: [olehelp] C:\Program Files\Common Files\svchost.exe

    O4 - HKCU\..\Run: [Stet] C:\Documents and Settings\Richard\Application Data\ouod.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe


    After rebooting, please send these files to submit@diamondcs.com.au
    Then delete them

    C:\Program Files\Internet Explorer\Iesearch.exe
    C:\Program Files\Common Files\svchost.exe
    C:\Documents and Settings\Richard\Application Data\ouod.exe
    C:\WINDOWS\System32\wcpcc.exe
     
Thread Status:
Not open for further replies.