Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello Everyone!
This is my first time posting here(and probally not hte last)
Anyway, I got a really weird problem.
1. My homepage has been hijacked and I get redirected when I do a search. CWshredder and Spybot Search and destroy does not solve this problem
2. I have MSN. When I click the little envolope to check my mail, a screen pops up that says "Click the program you want to use to open the file MSN75.mailhost
3. SOmething called C:WIndows\ht.hta has been installed into my computer.
4. (and this is the wierdest problem.) Well, my friend came over and installed doom 2. When he left, I unistalled(because it is a bullsh!t game) and did a search in my computer 'doom 2' to see if there were any files left. Well, when I did this about 1,000 came up dating back from 95. THis wouldn't be a problem, but I just reformatted my computer. I need a lot of help
Ok, I am computer illiterate so please bare with me.
And please, please reply please. I am desprate and considering reformatting my computer again.
I will post my HijackThis! log if it is requested.
Okay Listen i need to to Do this:
Hit these keysControl + alt + Delete
and tell me what is running
After you tell me what is running i will know what to do next
0 
Ok, thanks for replying
This is what's running
Computing.Net-A hell of a lot of problemsExplorer
C:\WINDOWS\odbc.hta
Msnmsngr
Psfree
Anticwd32
Wkufind
A
Please, please reply
0
Hi ShawshankRedemption, Metthew, hello everyone,
ShawshankRedemption,
Post your hijackthis log.
Best Regards,
Mesich
0
Ok, this is my log.
Logfile of HijackThis v1.97.7
Scan saved at 2:33:34 PM, on 6/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\ATICWD32.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.exe
C:\WINDOWS\SYSTEM\A.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\AIM\AIM.exe
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VortexTray] ASP4TRAY.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe"
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\color.css
0
Hi ShawshankRedemption, hello everyone
Remove the following using hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O19 - User stylesheet: C:\WINDOWS\color.css
Restart the computer.
Go to C:\Windows\Temp and delete all of the files in that folder.
In C:\Windows delete ex.htm
In C:\Windows\System delete A.exe
Restart the computer again.
Best Regards,
Mesich
0
Ok, I did all that. But I found a lot of files that said modified from 01(keeping in mind I reformated in January) that had QTV.dll. I deleted a lot of them. What were they?
Anyway, this is my new HijackThis log
Logfile of HijackThis v1.97.7
Scan saved at 10:32:13 PM, on 6/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\ATICWD32.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VortexTray] ASP4TRAY.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe"
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Also, do you think I should go through my computer and delete all the files that said were modified before I reformatted? Because they take up a lot of information. I have nothing in my computer except them.
0
Hi ShawshankRedemption, hello everyone
Your log is spotless. Restart the computer and run hijackthis again and post a new log.
Also, do you think I should go through my computer and delete all the files that said were modified before I reformatted?
I'm not sure what files you are talking about.
Best Regards,
Mesich
0
Well, I reformatted January 18, 2004. However, there are files in there that say they were modified from 1995-2003. I thought they might be spyware or a virus. I wanted to know if I should delete them. They are taking up a lot of information.
0
Well, I just restarted and my homepage is still hijacked and my search engine is still redirected. But this is my log
Logfile of HijackThis v1.97.7
Scan saved at 12:21:24 AM, on 6/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\ATICWD32.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VortexTray] ASP4TRAY.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe"
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Yeah, it looks OK.
I think hijackthis would have caught any entries here, but run msconfig and open win.ini. Expand the [windows] section and post back anything listed in the run= and load= lines.
Then open system.ini and expand the [boot]section. There will be a shell=Explorer.exe line there. Is anything else listed in that line?
Also did you manually reset your homepage to 'blank' or whatever your desired homepage is?
0
ok, last post until you reply. There are files with no itke name.Ony random numbers and letters. Do you thinkn those are harmful?
0
They should only be harmful if they're loading.
Are the files all the same size? Viruses often copy themselves as different names but the size is usually always the same.
0
No, they vary. But they say it was modified from 95-03. This supprised because I reformatted in January 04. What should I do.
0
The modified date could just be the date the original file was created. It's not necessarily the date it appeared on your computer.
But because they often change their names, most of the time virus-added files display the date they appeared on your computer.
Post back some of the file names (with extensions) that you're concerned about.
0
Ok, thanks for the reply.
here are a few examples
1. load21.exe
2. Vscli32.dll
3. Ucm_32.dll
4. MXTARGET.DLL12
5. Kernal32.dll
6. CP_852.nls
Those are just a few. There are litterally thousands in my computer like that.And my hijack problem still isn't fixed.
0
Ok, sorry. I just noticed your first post here. And I tried manually reseting it. But it keeps changing from MSN to about:blank
THere was nothing listed under boot and load.
And nothing else was listed next to shell.
0
Is #5 kernAl32.dll or kernEl32.dll. If it's kernal32.dll then possibly it's a virus file:
http://inetexplorer.mvps.org/answers_5.htm#kernal32
At least some of the others are legitimate files.
Change your homepage to MSN then close IE. Open it again and if it's set to blank then change it to MSN again. Do that once or twice more as I've noticed it sometimes doesn't 'take' the first time.
Dll files are dynamic link library files and are necessary. Most software uses them. There's no way to distinguish between a dll file used by a virus and one used legitimately other than doing a search for the file name.
You might want to run cwshredder again.
0
Well, I think I might have to reformat my computer again. Nothing seems to be working. Cwshredder came up empty. Ad-aware and spybot got rid of about 100 files together, but all my problems still remain. Thanks anyway. If you have some last ditch solution I could use it.
0
Run MSCONFIG and click the STARTUP tab. Post back what's listed. Hijackthis should have found what's listed there too but give it a try.
0
Load Power Profile is OK. Vortex tray is associated with a sound card. However I couldn't find any references to 'Antcwd32'. Are you sure you spelled it right?
And mswspl came back as a possible problem:
Try unchecking both those items and reboot. Run msconfig--startup again to make sure they stay unchecked. See if there's any improvement
0
Here's a page with more English on it:
There's a link there for the trendmicro online virus check that you should do if you haven't already (or do it again if you have).
0
Ok, we made some progress. When I unchecked those two(and it was spelled right) and restarted, the MSN home page came up, but, I am still being redirected in my search.
0
Ok, I tried that virus online scan, but when the page was loading I recieved an "MSN internal error message" that said "We're sorry, but MSN has experienced an internal error and will have to restart."
I restarted my computer and tried it a number of times, but it doesn't work. I keep getting that same message. Do you know of another scan I could us or that I could download(I have used Spybot search and destroy and ad-aware, but it doesn't help)
0
Here's another one:
http://www.pandasoftware.com/activescan/
You may need to temporarily lower your security settings for an online scan to run. To do this click 'tools' in the IE toolbar, then 'internet options', then the 'security' tab. Then lower the setting.
You may also need to do a CTRL-ALT-DEL and shut down some of the stuff running in the background.
I think you've got a regular virus that adaware and spybot and such won't fix. There's probably some spyware problem also but first see what a regular virus scan shows.
I don't know if I posted this above but to permanently remove registry (and other) references calling startup files you may want to check my post in this thread:
http://computing.net/windows95/wwwboard/forum/159473.html
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
