Message from an insomniac.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by robousy, Oct 7, 2004.

  1. robousy

    robousy Private E-2

    Hello,

    I am having some really irritating problems and have been having them since about last friday.

    I read your READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.


    I went through all the steps (boot in safe mode...run this, run that...)

    It got rid of some problems, but I still have something frustrating that keeps trying to change my homepage to 195.225.176.5

    I have run the Hijack this program and this number appears several times - but will not deleete when I try to delete it.



    If anyone can help I'd project happiness and compassion your way.
    :)

    Thanks

    Rich
     
    robousy, Oct 7, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Oct 7, 2004
    #2
  3. robousy

    robousy Private E-2

    Hi,

    Thanks for your patience.
    I have attached the log.

    Thanks!
     

    Attached Files:

    robousy, Oct 8, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Add/Remove programs and uninstall P2P Networking

    Make sure you have viewing of hidden files enabled.

    Please run HijackThis and click on the "Config" button in the bottom-right hand corner. Then click on "Misc tools" on the top, and then "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINNT\monitor.exe
    C:\ploint.exe
    C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    C:\winln.exe

    After killing all the above processes, click "Back".


    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\_s.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.5/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\_s.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.5/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_s.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://195.225.176.5/ie
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_s.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_h.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_h.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
    O4 - HKLM\..\Run: [mswspl] C:\ploint.exe
    O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
    O4 - HKCU\..\Run: [winltmpv] c:\winln.exe
    O4 - HKCU\..\Run: [monitor] monitor.exe
    O13 - DefaultPrefix: http://195.225.176.5/pre.pl?
    O13 - WWW Prefix: http://195.225.176.5/pre.pl?
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02a7ca2a5898b3175803/netzip/RdxIE601.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab


    Boot in safe mode and use Windows Explorer to delete:
    C:\WINNT\monitor.exe
    C:\ploint.exe
    C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    C:\winln.exe

    Now boot in normal mode and post a new HJT log and tell me how things went and how everything is working.
     
    Last edited: Oct 8, 2004
    chaslang, Oct 8, 2004
    #4
  5. robousy

    robousy Private E-2

    Hi,

    Thanks for your quick reply!!
    You are awesome.

    After doing everything you told me here is the new scan.
    I can still see the evil number.

    Rich
     

    Attached Files:

    robousy, Oct 8, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you fix the SpyFighter line last time? Or did you keep it on purpose? I don't believe it to be a good application, but if you know otherwise, please tell me. If you are sure it is a valid good application then just ignore the SpyFighter lines below and tell me. I have included it again for deletion.

    You may want to check Add/Remove programs first to see if SpyFighter has an uninstall.

    Run HijackThis and click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_h.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
    O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor

    Boot in safe mode and use Windows Explorer to delete:
    C:\Program Files\SpyFighter <--- the whole directory

    Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now boot in normal mode and post a new HJT log and tell me how things went and how everything is working.
     
    chaslang, Oct 8, 2004
    #6
  7. robousy

    robousy Private E-2

    Hi Chaslang,

    I'm out of town for the W/E but will be back at my PC on Monday so will try things then and get back to you.

    Thanks so much for your help! Its really appreciated.

    Rich
     
    robousy, Oct 8, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Let me know when your done. By Monday your message is going to be many pages back.
     
    chaslang, Oct 8, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds