home page mystery

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by xerxes74, May 29, 2004.

  1. xerxes74

    xerxes74 Private E-2

    I have a problem, two really. When I open internet explore my home page always sets to c:\windows/geo.html and it says warning you have been visiting pedo sites your life is in danger. when I try to go to another page a blue screen comes up that says I have spyware. the company is privacy outpost and everytime I try to remove it on their site my computer freezes. I can control alt delete the blue screen away but it is a pain. Also a x shortcut comes up on my homepage with sex under it or sometimes it says f**k and a internet site opens up with "f**russian teens" on it. I have tried adaware, I have norton I have tried spyboot and hijack software and nothing helps. Any Ideas? HElP?
     
    xerxes74, May 29, 2004
    #1
  2. DanTekGeek

    DanTekGeek Master Sergeant

    sounds like you have a few spyware programs. but we can help you get rid of them. first: down load hijackthis ( http://majorgeeks.com/download.php?det=3155 ) and do not do anything but post the results here. post the results by saving the log file and it will open in a text file. just copy and paste. after we handle that we can see if you have any other spyware


    edit: i know you have tried hijack this, but maybee we can find something you have missed http://majorgeeks.com/vb/images/smilies/smile.gif
     
    DanTekGeek, May 29, 2004
    #2
  3. schism

    schism Private E-2

    First of all... do the russian women really bother you that much???... JK!!! Try spybot search and destroy, besides being a GREAT spyhunter, it has a feature that LOCKES your IE homepage to one that you specify (in advanced mode i think)http://www.safer-networking.org/ you may also wanna get a pop-up blocker like the google toolbar!!! hope this helps


    PS: DO THE RUSSIAN WOMEN REALLY BOTHER YOU THAT MUCH???


    (SORRY FOR THE POST AFTER HIS LAST 1, I guess i was typing when you where pressing the ENTER button, but i hope mine also helps)

    DO THE RUSSIAN WOMEN REALLY BOTHER YOU THAT MUCH???!!!
     
    schism, May 29, 2004
    #3
  4. DanTekGeek

    DanTekGeek Master Sergeant

    DanTekGeek, May 29, 2004
    #4
  5. xerxes74

    xerxes74 Private E-2

    hijack this won't open now. When I save it it goes to my hope page but when I click on it, it doesn't open. It's a zip file do I need something special to open that?
     
    xerxes74, May 30, 2004
    #5
  6. DanTekGeek

    DanTekGeek Master Sergeant

    right click on it and say extract all, thben is should be able to open
     
    DanTekGeek, May 30, 2004
    #6
  7. schism

    schism Private E-2

    he may not have XP
     
    schism, May 30, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What OS are you running? You may need WinZip to extract files if you do not have WinXP.
     
    chaslang, May 31, 2004
    #8
  9. xerxes74

    xerxes74 Private E-2

    I have windows 98, I will download winzip. Thank you.
     
    xerxes74, Jun 1, 2004
    #9
  10. xerxes74

    xerxes74 Private E-2

    Here are the results of my hijack this. Thank you for your help.

    How can you know what to erase.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:42:05 PM, on 6/1/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\SECURE.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\180SOLUTIONS\MSBB.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O1 - Hosts: 213.159.118.226 1-se.com
    O1 - Hosts: 213.159.118.226 58q.com
    O1 - Hosts: 213.159.118.226 aifind.cc
    O1 - Hosts: 213.159.118.226 aifind.info
    O1 - Hosts: 213.159.118.226 allneedsearch.com
    O1 - Hosts: 213.159.118.226 approvedlinks.com
    O1 - Hosts: 213.159.118.226 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.226 awebfind.biz
    O1 - Hosts: 213.159.118.226 best.royalsearch.net
    O1 - Hosts: 213.159.118.226 cracks.am
    O1 - Hosts: 213.159.118.226 default-homepage-network.com
    O1 - Hosts: 213.159.118.226 find.microgirls.com
    O1 - Hosts: 213.159.118.226 find4u.net
    O1 - Hosts: 213.159.118.226 freshvideogals.com
    O1 - Hosts: 213.159.118.226 i-lookup.com
    O1 - Hosts: 213.159.118.226 ie-search.com
    O1 - Hosts: 213.159.118.226 in.webcounter.cc
    O1 - Hosts: 213.159.118.226 itseasy.us
    O1 - Hosts: 213.159.118.226 just.find-itnow.com
    O1 - Hosts: 213.159.118.226 link.startmake.com
    O1 - Hosts: 213.159.118.226 nativehardcore.com
    O1 - Hosts: 213.159.118.226 qwertysearch123.biz
    O1 - Hosts: 213.159.118.226 search.ieplugin.com
    O1 - Hosts: 213.159.118.226 search.psn.cn
    O1 - Hosts: 213.159.118.226 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.226 searchcentrix.com
    O1 - Hosts: 213.159.118.226 searchmyrequest.com
    O1 - Hosts: 213.159.118.226 super-spider.com
    O1 - Hosts: 213.159.118.226 t.rack.cc
    O1 - Hosts: 213.159.118.226 teen-biz.com
    O1 - Hosts: 213.159.118.226 teenhqpics.com
    O1 - Hosts: 213.159.118.226 tits.hardcore4ever.net
    O1 - Hosts: 213.159.118.226 webcoolsearch.com
    O1 - Hosts: 213.159.118.226 wmmse.com
    O1 - Hosts: 213.159.118.226 www.008i.com
    O1 - Hosts: 213.159.118.226 www.2fastsearch.net
    O1 - Hosts: 213.159.118.226 www.8095.com
    O1 - Hosts: 213.159.118.226 www.alfa-search.com
    O1 - Hosts: 213.159.118.226 www.boredlife.com
    O1 - Hosts: 213.159.118.226 www.couldnotfind.com
    O1 - Hosts: 213.159.118.226 www.cracks.am
    O1 - Hosts: 213.159.118.226 www.daum.net
    O1 - Hosts: 213.159.118.226 www.dreamwiz.com
    O1 - Hosts: 213.159.118.226 www.find-itnow.com
    O1 - Hosts: 213.159.118.226 www.find-itnow.com
    O1 - Hosts: 213.159.118.226 www.find4u.net
    O1 - Hosts: 213.159.118.226 www.firstbookmark.com
    O1 - Hosts: 213.159.118.226 www.gajai.com
    O1 - Hosts: 213.159.118.226 www.hand-book.com
    O1 - Hosts: 213.159.118.226 www.hao123.com
    O1 - Hosts: 213.159.118.226 www.hotsearchbox.com
    O1 - Hosts: 213.159.118.226 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.226 www.hugesearch.net
    O1 - Hosts: 213.159.118.226 www.iquicksearch.com
    O1 - Hosts: 213.159.118.226 www.lookfor.cc
    O1 - Hosts: 213.159.118.226 www.maxxxhosters.com
    O1 - Hosts: 213.159.118.226 www.naver.com
    O1 - Hosts: 213.159.118.226 www.nkvd.us
    O1 - Hosts: 213.159.118.226 www.nova****.com
    O1 - Hosts: 213.159.118.226 www.ohcorea.com
    O1 - Hosts: 213.159.118.226 www.omega-search.com
    O1 - Hosts: 213.159.118.226 www.onet.pl
    O1 - Hosts: 213.159.118.226 www.power-search.info
    O1 - Hosts: 213.159.118.226 www.rightfinder.net
    O1 - Hosts: 213.159.118.226 www.search-1.net
    O1 - Hosts: 213.159.118.226 www.search-and-go.com
    O1 - Hosts: 213.159.118.226 www.search-dot.com
    O1 - Hosts: 213.159.118.226 www.search-space.com
    O1 - Hosts: 213.159.118.226 www.searchforge.com
    O1 - Hosts: 213.159.118.226 www.searching-the-net.com
    O1 - Hosts: 213.159.118.226 www.searchv.com
    O1 - Hosts: 213.159.118.226 www.searchxl.com
    O1 - Hosts: 213.159.118.226 www.seznam.cz
    O1 - Hosts: 213.159.118.226 www.slotch.com
    O1 - Hosts: 213.159.118.226 www.spidersearch.com
    O1 - Hosts: 213.159.118.226 www.startium.com
    O1 - Hosts: 213.159.118.226 www.therealsearch.com
    O1 - Hosts: 213.159.118.226 www.ttjj.com
    O1 - Hosts: 213.159.118.226 www.viewpornkey.com
    O1 - Hosts: 213.159.118.226 www.wazzupnet.com
    O1 - Hosts: 213.159.118.226 www.websearch.com
    O1 - Hosts: 213.159.118.226 www.windowws.cc
    O1 - Hosts: 213.159.118.226 www.xgmm.com
    O1 - Hosts: 213.159.118.226 xwebsearch.biz
    O1 - Hosts: 213.159.118.226 yourbookmarks.ws
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\SYSTEM\PSIC1.DLL
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {5A96012F-B3F1-11D8-B226-00C0977B8007} - C:\WINDOWS\SYSTEM\ALBM.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\PROGRAM FILES\WYVERNWORKS\FIREWALL 2004\Firewall.exe
    O4 - HKLM\..\Run: [msbb] c:\windows\180solutions\msbb.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.8720949074
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//man/main.chm::/load.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O19 - User stylesheet: (file missing)
     
    xerxes74, Jun 1, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 1, 2004
    #11
  12. xerxes74

    xerxes74 Private E-2

    I did what you said and here is my updated hijack this file. After this is fixed should I run a firewall or any other protection?Logfile of HijackThis v1.97.7
    Scan saved at 9:34:12 PM, on 6/2/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\SECURE.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\SYSTEM\PSIC1.DLL
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\PROGRAM FILES\WYVERNWORKS\FIREWALL 2004\Firewall.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.8720949074
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//man/main.chm::/load.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O19 - User stylesheet: (file missing)
     
    xerxes74, Jun 2, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay XerXes, this new log is a little smaller now.
    Shut down all browser and Win Explorer sessions and run HiJaak This again. Have it fix the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\SYSTEM\PSIC1.DLL
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdc...ad/tgctlins.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//man/main.chm::/load.exe
    O19 - User stylesheet: (file missing)


    NOTE: The win.exe item is from a Trojan. See this link: http://securityresponse.symantec.com/avcenter/venc/data/w32.elem.trojan.html
    Win98 starts with win.com not win.exe.


    After fixing the above, you need to edit your win.ini and system.ini files in your windows directory and remove the following lines:Win.INI: remove "run= C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE" in the [WINDOWS] portion.
    System.INI: remove "load= C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE" in the [WINDOWS] section.

    Now reboot and delete:
    C:\windows\win.exe (probably a zero byte size file)
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE


    Note sure about the below items yet:
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    C:\SECURE.EXE
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
     
    chaslang, Jun 3, 2004
    #13
  14. xerxes74

    xerxes74 Private E-2

    I deleted all the things on the log. Now I have another dumb question. where would my windows directory be?
     
    xerxes74, Jun 3, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right where it shows in your Hijaak This log. c:\windows


    How are things running now? It may be useful to post another Hijaak This log to make sure we got everything.
     
    chaslang, Jun 4, 2004
    #15
  16. xerxes74

    xerxes74 Private E-2

    I am still getting that you are visting pedo sites on my home page and the your life is in danger message, but I did not correct those links yet. I will do that and run hijack this again. Thanks
     
    xerxes74, Jun 4, 2004
    #16
  17. xerxes74

    xerxes74 Private E-2

    I deleted the lines from the win.ini and system.ini files and then I did reboot. I deleted the file win.exe but there was not system\services\wmplayer.exe file in the windows directory. Now when I click on internet exployer it says cannot find file///c:windowsgeo.html make sure the path or internet address is correct, but when I hit okay internet explorer comes up with no pedo site. So that is much better. I ran a new hijack this log. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:43:10 PM, on 6/4/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\SECURE.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\SYSTEM\PSIC1.DLL (file missing)
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\PROGRAM FILES\WYVERNWORKS\FIREWALL 2004\Firewall.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.8720949074
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//man/main.chm::/load.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
    xerxes74, Jun 4, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Xerxes,

    It does not look like you remove the stuff I indicated before using Hijaak This. Also, it looks like you have removed SpyBot S&D. Why? The log file still shows all the items I gave you last time (although some names have changed). You need to shut everything down and run Hijaak This again and then select the below items and have Hijaak This fix them:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GAIPM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ALBM.DLL/sp.html (obfuscated)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\SYSTEM\PSIC1.DLL (file missing)
    O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdc...ad/tgctlins.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//man/main.chm::/load.exe
    Now also look in your C:\windows directory. For a file named geo.html.
    You may have to have enable viewing of all files and extensions types
    including hidden files. If you don't find it this way, do a file
    search on your PC. When and if you find it, delete.
    Now right click on your Internet Explorer desktop icon and select properties
    and reset your home page to something you want to use as a home page.
    Some good like www.majorgeeks.com ;)
     
    chaslang, Jun 4, 2004
    #18
  19. xerxes74

    xerxes74 Private E-2

    I had deleted the files at least I thought I did. I deleted what you said again. I couldn't find the geo file. I didn't think I removed spyboot either. I will run that and adaware again. Thanks:cool:
     
    xerxes74, Jun 5, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you run Hijaak This again, does the stuff in my previous post show again?
    Did you try doing a File Search for geo.html?

    Make sure you update your Ad-aware. There have been a bunch of changes recently
     
    chaslang, Jun 5, 2004
    #20
  21. xerxes74

    xerxes74 Private E-2

    I checked for updates on norton spyboot and adaware before I ran them yesterday. The geo file must be gone, my home page keeps getting changed from majorgeeks.com:) to C:\windows\geo.html so when I try to open internet expolorer it says file can not be found I hit okay and internet explorer comes up with a blank page. Which is much better than what was coming up before. This is my new log. It looks like things keep coming back.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:42:55 PM, on 6/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\SECURE.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SERVICES\DIEWALE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {1496FDD9-B717-11D8-B226-00C0A8154988} - C:\WINDOWS\SYSTEM\CMIPI.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\PROGRAM FILES\WYVERNWORKS\FIREWALL 2004\Firewall.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.8720949074
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
    xerxes74, Jun 6, 2004
    #21
  22. millwall

    millwall Private E-2

    undefined
    for some time I've wanted to get rid off Freeserve off my IE6 and that tool done it :)
     
    millwall, Jun 6, 2004
    #22
  23. xerxes74

    xerxes74 Private E-2

    I wasn't sure what tool you are talking about. Is it hijack this? Thanks
     
    xerxes74, Jun 8, 2004
    #23
  24. millwall

    millwall Private E-2

    yes , i run the tool a just clicked on anything to do with Freeserve and deleted it, and it seems to off worked :)

    >>>>> ( http://majorgeeks.com/download.php?det=3155 ) <<<<<
     
    millwall, Jun 8, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are still a load of problems in your log. You MUST shut down all applications especially Internet Explorer or any other browser and Windows Explorer sessions before running Ad-aware, SpyBot S&D, HijaakThis, and CWShredder. Make sure your Ad-aware reference file is Ad-aware referencefile 01R315 06.06.2004.
    I want you to now download the newest CWShredder from here: http://www.majorgeeks.com/download4086.html

    Goto this link and print or save the instructions for booting in safe mode onyour Win98 OS: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Then shut down all applications as I said above and do not connect to the Internet again during any of the following steps. Now run CWShredder and let it fix anything it finds. Now run Ad-aware again and SpyBot S&D and let them clean what they find.

    Hit CTRL-ALT-DEL and shut down wmplayer.exe if you see it running.
    Run HijaakThis again and fix the following again:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CMIPI.DLL/sp.html (obfuscated)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE


    Boot in safe mode:

    Delete this directory and all files that are in it: C:\WINDOWS\SYSTEM\SERVICES
    (*** NOTE: DO NOT DELETE C:\WINDOWS\SYSTEM ***)

    Now using notepad or any other editor, I want you to edit c:\windows\win.ini and c:\windows\system.ini (you should back them up first to be safe). Here is what to look for:

    In win.ini delete the following if found (normally in the [WINDOWS} section

    run= C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE

    In system.ini do the same in the [WINDOWS] section for:

    load= C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE

    Now reboot in normal mode, and lets see where we are. Another HijaakThis log should be posted. (DO NOT RUN ANYTHING BEFORE HIJAAK THIS! Yes am shouting!)
     
    chaslang, Jun 8, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Xerxes,

    I left out two more steps I wanted you to do in my previous message. Right after the step where I have you go to a Symantec link to learn how to boot in safe mode on Win98. Go here:
    http://www.pestpatrol.com/Support/HowTo/How_To_Clear_a_Hijack.asp

    and under the Search Hijacks section see the info on "Reset Web Settings" so you know how to do this. But do not do it yet.

    Then after doing the HijaakThis fixes and just before I told you to boot in safe mode, do the Reset Web Settings but do this by right clicking on your desktop Internet Explorer icon and selecting properties and then the Programs tab (that way you do not connect to the internet).
     
    chaslang, Jun 8, 2004
    #26
  27. xerxes74

    xerxes74 Private E-2

    I did everything you said. The only thing odd was in win.ini there was no run=C:WINDOWS\SYSTEM\SERVICE\WMPLAYWE.EXE only one that said norun=C:WINDOWS\SYSTEM\SERVICE\WMPLAYWE.EXE and one bellow it that said run= I did not delete either of those. Here is my new log. My web page still went back to the old geo page. I did not tell you and I don't know if it makes a difference but I have cable internet so I don't know if that means I am always connected even if internet exployer is not up. So I don't know if that messes up what you told me to do. Logfile of HijackThis v1.97.7
    Scan saved at 7:35:52 PM, on 6/10/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\SECURE.EXE
    C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\geo.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Secure] c:\secure.exe
    O4 - HKLM\..\Run: [Qwik-Fix] "C:\Program Files\PivX Qwik-Fix\QwikFix.exe" splash
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\PROGRAM FILES\WYVERNWORKS\FIREWALL 2004\Firewall.exe
    O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38079.8720949074
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
    xerxes74, Jun 10, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay from your last log it does look like the CMIPI.DLL problem and the WMPLAYER.EXE (not WMPLAYERWE.EXE) are gone. I would just put a semicolon at the beginning of those two lines in your win.ini file. That comments them out.

    Can you try a file search for geo.html but let's do it in only the c:\windows directory and let's use a wildcard match. To do this click Start, Find, Files or Folders. Now a new windows comes up. Use the browse button and navigate to your c:\windows directory and click OK. The window should now show c:\windows in the Look in: box. Now in the Named: box enter exactly what I show on the in between the following quotes (without the quotes) "*.htm*" Then click Find Now. In the list that shows up see if there is a geo.html. If so, right click on it and select delete.

    There is something else in your HijaakThis log we should fix:
    O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"

    And then you need to boot in safe mode and delete the following directory:

    C:\PROGRAM FILES\CASINOONLINE

    Now reboot in normal mode.

    I'm still wondering (like I said much earlier) what are these lines for:
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    C:\SECURE.EXE
    O4 - HKLM\..\Run: [Secure] c:\secure.exe

    Is secure.exe some kind of browser?

    Also, do you know what Qwik-Fix is?
     
    chaslang, Jun 11, 2004
    #28
  29. xerxes74

    xerxes74 Private E-2

    I am not sure what those two lines are either i could just delete them. I have qwik-fix on my computer. :cool:
     
    xerxes74, Jun 11, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For now, why not just try renaming those two .EXE files to .OLD. Run your PC that way for awhile and see if you run into any problems with any applications not running.

    Okay you have Quick-Fix, but please tell me what it is for my future reference.
     
    chaslang, Jun 12, 2004
    #30
  31. xerxes74

    xerxes74 Private E-2

    the quick fix I have just says it is enabled to check for any virus in the backround.
     
    xerxes74, Jun 13, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't you have Norton AV to check for virus problems?

    Did you try renaming those EXE's?
     
    chaslang, Jun 13, 2004
    #32
  33. xerxes74

    xerxes74 Private E-2

    Sorry I have not been able to get to my computer for awhile. I did rename those files. I do have norton. I did all the steps you told me to again just because it had been awhile and here is my new hijack this post. Every time I delete the first entry it comes back, and my home page keeps getting restet to window\geo.html. If it wasn't for that my computer would be running great.
     
    xerxes74, Jun 28, 2004
    #33
  34. xerxes74

    xerxes74 Private E-2

    Sorry I have not been able to get to my computer in awhile. I did rename those files, and I do have Norton. I keep deleting the first entry on my log and it keeps coming back. My home page keeps getting reset to windows\geo.html. Other than that my computer is running well.
     
    xerxes74, Jun 28, 2004
    #34
  35. crazymindy

    crazymindy Private E-2

    I to have the geo.html. I have reset settings, reinstalled win98, deleted the file it self, installed my backup files, uninstalled and reinstalled IE 5&6, There is someting in one of my INI files that must be installing this HTML back onto my computer. I have run spybot and addware. I have run virus scanners such as norton, system suit, McCafee and others. I have even been to the web page that the HTML is tring to get me to go and have spoke with the people there. Of course they say they don't know!$%^. I an deleting my computer and starting over. Surley this will work!
     
    crazymindy, Jul 6, 2004
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    xerxes and crazymindy,

    Search your PCs for a file called secure.exe
    Typically it has been found the root directory. That is, you may have c:\secure.exe

    You may have to enable viewing of hidden files first. Here's how: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    If you find that file in the root directory, try renaming it to secure.bad. If it is already running you probably will not be able to rename. Check Task Manager (CTRL-ALT-DEL) to see if you can find it running and kill it. Then rename if still necessary. Then set your home page back to what you want and reboot.

    See if this helps.
     
    chaslang, Jul 6, 2004
    #36
  37. xerxes74

    xerxes74 Private E-2

    That worked for me. THANK YOU SO MUCH!!!!!!!!!!!!!!!!!!!!!!!!
     
    xerxes74, Jul 19, 2004
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    COOL! Better late then never! Where have you been? And you're welcome!
     
    chaslang, Jul 20, 2004
    #38
  39. ANHEDONIC

    ANHEDONIC Will Title For Food

    lol! good work again, chaslang!
     
    ANHEDONIC, Jul 20, 2004
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks MiDGet! Where are you now...in NJ or MD?
     
    chaslang, Jul 20, 2004
    #40
  41. ANHEDONIC

    ANHEDONIC Will Title For Food

    I'm in New Brunswick, NJ now @ school... i got family in MD so i'm frequently traveling back and forth... just got an apartment w/ 2 friends in Fair Lawn... can't wait to move back up to Bergen County, love it there
     
    ANHEDONIC, Jul 20, 2004
    #41
  42. ANHEDONIC

    ANHEDONIC Will Title For Food

    blastid double post!
     
    ANHEDONIC, Jul 20, 2004
    #42

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds