Help! Need some software here.

Okay, Eveytime I restart my computer, My homepage get reset to: http://www.search2004.net/hp.htm?id=9, and I get 4 pornography link added to my favorites. My Browser is being badly hijacked. All the viruses are off the drive, and I've scanned with SpyBot, Ad Aware, HijackThis!, and AVG Antivirus, and get rid of all the valid files that I can get rid of without rendering my system useless. I really need somw suggestions or software that can get me out of this mess and stop this! Help!

 

http://housecall.antivirus.com

Also, uncheck enable third party browser extensions under Internet Options, advanced tab. Does that help?

 

Should I scan with HijackThis! and Ad Aware after scanning with this? and restarting to try it out?

 

Can you post your hijack file
there might be more than just that one


I think your problem is the control.exe in the windows dir
remove the regkey for it at HKCU\Software\Microsoft\Windows\CurrentVersion\Run
clean porn bookmarks set startpage and reboot

your problem should be gone ( i finally delete the control.exe too)
because i found out over regmon that it hacks the ie settings and i think
it creates this it.bat or load.exe or hp.htm too which sometimes (but not ever) appeared in my windows folder

http://forums.tomcoyote.org/index.php?showtopic=1294

This link will give you a fix for it I hope it helps
read the replies and then check your computer

let us know

 

Here's my log file:
---

Logfile of HijackThis v1.97.2
Scan saved at 7:19:22 PM, on 1/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\Program Files\Restore Desktop\RestoreDesktop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jer\Desktop\Stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aesoponline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [MessengerAdBlocker] "C:\PROGRA~1\Atory\MESSEN~1\MESSEN~1.EXE" -startup
O4 - HKCU\..\Run: [Restore Desktop] "C:\Program Files\Restore Desktop\Restore Desktop.exe"
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [TJAHHXBKYVO] C:\WINDOWS\VBTTKEUJQQ.exe
O4 - Startup: Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\AOC\F-610\SCANER32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.6546296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A85601-337D-4542-A035-21E52C6EB1E4}: NameServer = 206.26.113.2

---
I know the top three need to go, But I'm letting House Call get done before delteing them and restarting my comp. Anything else look suspicious here? I don't see any control.exe files.. phew.

 

Only glanced through it.

wupdater.exe is spyware.

 

Okay I just deleted it and everything that contained http://www.windowws.cc/sp.htm?id=9, and Before I read your post I just restarted after using the House Call Scan and deleting everything that contained http://www.windowws.cc/sp.htm?id=9, And everythin came back. man, I really gotta fix this soon.

 

O4 - HKCU\..\Run: [TJAHHXBKYVO] C:\WINDOWS\VBTTKEUJQQ.exe

Dunno what it is, but when Google don't show it, and it appears as random characters, I think spyware or virus.

Back it up and nuke it.


Also, as a hunch, get the qhosts removal tool from www.sarc.com and run it.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

 

Alright, I'm getting it now, Should this fix the problem?

 

already tried CWShredder..

 

And my suggestions?

Results?

 

Well I used Trojan.Qhosts, and it said nothing was found, But I turned off System Restore before I rebooted and nothing came back, So I'm pretty sure that was just bringing all the bad files back, So as of now, I'm cured! THanks everyone! THanks so much, Espicially to Adrynalyne!