Security hijack help needed

[AlasKen]

Like others I have a computer with 2 security page problems. One creates the yellow triangle and popup message stating that I have a problem and click on the icon which goes to a web site. It is created to look like a windows message. The other issue is a home page hijack that take me to a security Security Center site name www dot homepagesecurity dot com I have tried for the last 6 hours to follow the Read and Run me first instructions. I was not able to get the bitdefender scan to work. After trying to download the virus definitions it gave me a message that it was unalbe to update them and the scan would not be accurate so I ended up skipping it. I am attaching the files suggested with the exception of the bit defender. I am running Norton antivirus 2006 and the definitions were up todate last night and Idid a complete scan. I am working on my daughters computer (23 y/o and not living at home) so I only get to work on it in the eveninigs so if I am slow responding it is not be design. I have 12 hours into this now. It appeared after a friend surfed some porn sites, or so the story goes. I will send the getrunkey and shownew as soon as I can find them. I think they are under the administrator acount as I ran them from both users. ANy help is greatly appreciated.

[AlasKen]

Here are the runkeys and newfiles attachments. When I ran the MS Windows malicious software removal it came back with no malicious software. The Spybot S D found one microsoft WidowsSecurityCenter_disabled file and said it fixed it. Windows defender was run in safe mode. Thanks again for any help. AlasKen

[AlasKen]

I am not sure if it matters but I noticed my email address was incorrect in my profile so I corrected it. Thanks in advance for your help. AlasKen

[Shadow_Puter_Dude]

Do you have a log from the BitDefender Online Scan?

[AlasKen]

I could not get bitdefender to run. It would get about 70% through loading virus definitions then would throw and unable to load virus definitions messageand state that a scan would be inaccurate so I didn't run that scan. I did run a Norton scan. Thanks..AlasKen

[Shadow_Puter_Dude]

Download
- Pocket Killbox

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
"homepage.monitor.exe"=-
"pmsngr.exe"=-

Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Quote:

C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\IntCodec\isamini.exe

Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Quote:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...//www.msn.com/
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/59/EN/html/gtdownlr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  Quote:

  c:\GatorPatch.log
  c:\keys.ini
  c:\documents and settings\all users\desktop\Online Security Guide.url
  C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDIFKPEB\safetyhomepage[2].htm
  C:\Program Files\IntCodec\iesplugin.dll
  C:\Program Files\IntCodec\isaddon.dll
  C:\Program Files\IntCodec\isamini.exe
  C:\Program Files\IntCodec\isamonitor.exe
  C:\Program Files\IntCodec\pmmon.exe
  C:\Program Files\IntCodec\pmsngr.exe
  c:\winnt\ss3unstl.exe
  C:\WINNT\system32\cd_clint.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Quote:

c:\GatorPatch.log <<=== Delete the File
c:\keys.ini <<=== Delete the File
c:\documents and settings\all users\desktop\Online Security Guide.url <<=== Delete the File
C:\Program Files\IntCodec <<=== Delete the Folder
c:\winnt\ss3unstl.exe <<=== Delete the File
C:\WINNT\system32\cd_clint.dll <<=== Delete the File

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

[AlasKen]

Thank you very much. I attempted to follow your instructions and I think things worked

When I ran HJT process manager non of the processes on your list were listed so I had nothing to kill.

The next process for fixing the checked files seemed to work as expected.

I ran Killbox and all seemed to work.

I did not get the PendingFileRenameOperations.

When I went to Windows Explorer the only file I found was C:\Program FIles\intCodec folder and I deleted it with no problem.

I ran CCleaner

And then deleted the contents of WINNT\Prefetch and deleted 17 items.

I ran cleanmgr and selected the files stated.

On reboot I was able to set my homepage without a hi jack. Very cool. I haven't received teh other annoying popups either.

I am attaching the new HJT file

I truly appreciate the time you spent on this.

AlasKen

[AlasKen]

I have also followed the thread on "How to protect yourself from malware" to try and prevent future occurrances. I have not reset the system point recovery until I know it is time. Thanks again. AlasKen

[AlasKen]

Oops. After reviewing all the steps I realized that I forgot to rename HighJackThis so I renamed it and ran it again. Sorry for the inconvenience. Again thanks for the help. AlasKen

[Shadow_Puter_Dude]

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Otherwise your log is clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

[AlasKen]

Dude your the best.

Not sure why JAVA was out of date as I downloaded it over the weekend. No matter I will try again. I am very thankful for your help. However my daughter is even happier!!! Thanks..AlasKen

[Shadow_Puter_Dude]

Quote:

Originally Posted by AlasKen

Dude your the best.

Not sure why JAVA was out of date as I downloaded it over the weekend. No matter I will try again. I am very thankful for your help. However my daughter is even happier!!! Thanks..AlasKen

The update to Java was just released the other day.

You're welcome.

[AlasKen]

All nasties appear to be gone. Great job and thanks.

As a followup when I start it seems to take a long time ~5 minutes before everything loads. It seems that a lot of processes are starting in the background. While the load takes place everything slows to a crawl even though NAV and other process appear to be finished. Screens get choppy and you can see the screen refresh taking place. Once everything loads everything sppeds back up. Would this be something I should ask about on the software forum? I will start a new thread if that is appropriate. Thanks again for the help.

[Shadow_Puter_Dude]

Determine what you don't need to load when windows starts, then configure the programs to not load at system start.

[AlasKen]

:
Sorry to be dense but what is the proper way to determine what is actually loading at system start and how do I configure it? I do understand that msconfig is not the proper way to disable it but not sure if there is a tool to simplify the process. Thanks again. As an update my daughter reports that all is running with a heightened sense of safe surfing. Great job. AlasKen

[Shadow_Puter_Dude]

FOr the ones that use a registry enter they usually show in HijackThis, simply marking and click fix will remove the entry fromteh registry. Then the programs won't start. Others can be found in the Startup folder. Either under all users or the logged on user.