[LOZ]

Hi all!

Ok. I've got IE 6 running on Windows 98 and some B.S. site has totally hijacked my start page. Whatever I set my start page to be, as soon as I turn the PC off and on again this same .cc country domain search site is back? Grrr! I downloaded HijackThis and checked items 1 through 8 and item 11 but still the .cc crud site comes back after start up. Please see my HijackThis log below.

Any help anyone can offer with getting rid of this annoyingly persistent hijacker would be gratefully appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 12:11:30, on 15.4.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\MAPIICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dtmuge.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dtmuge.t.muxa.cc/h.php?aid=586 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
O4 - HKLM\..\Run: [RealTray] C:\Ohjelmatiedostot\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
O4 - Startup: PrecisionTime.lnk = C:\Ohjelmatiedostot\Mediasoitin\mplayer2.exe
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407

 

[Katzy]

"Spybot - Search and Destroy"?

"Ad-Aware"?

"Browser Sentinel" will prevent further hijacks, too.

 

[Cookiegal]

I don't know if this is a variant of a CoolWebSearch or not but it wouldn't hurt to run the CWShredder program and see if that helps.

Download CWShredder

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer and post another log.

IMPORTANT! To help prevent this from happening again, you should install all the security patches and critical updates.

Cookie

 

[LOZ]

CWShredder.exe did it! Thanks, Cookiegal!

 

[Cookiegal]

Great! Why don't you post another Hijack This log just to be sure.

Cookie :up:

 

[LOZ]

Here's the latest results from HijackThis...

I now permanently have the start page I want in IE except for one tiny lingering problem... when I open IE for the first time after the computer has been restarted/switched on, I get a little advert(?) screen that comes up for only a few seconds. The screen is in nasty pink colours and it say "Web Trap 2002" or something like with a bunch of what look to me like Chinese characters below that. As I say, that seems to be the only lingering annoyance. Odd, huh? Btw, Spybot - Search & Destroy didn't help with getting rid of that.

Logfile of HijackThis v1.97.7
Scan saved at 19:41:25, on 15.4.2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\OHJELMATIEDOSTOT\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\MAPIICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
D:\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
D:\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OHJELMATIEDOSTOT\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OHJELMATIEDOSTOT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Ohjelmatiedostot\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Ohjelmatiedostot\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Ohjelmatiedostot\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Ohjelmatiedostot\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ADSL_A2] C:\WINDOWS\System\MapiIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "D:\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] D:\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - Startup: Microsoft Office -pikavalintapalkki.Lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Officen käynnistys.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38072.2507407407

 

[Flrman1]

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Restart your computer.

 

[Cookiegal]

Thanks Flrman1......

 

[Flrman1]

No problem!

 

[LOZ]

Did as instructed, flrman1. Thanks for that.

Seems the nasty pink screen I mentioned in my last post is actually the virus protection on this PC. D:\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE

So, the computer's fixed and purring like a kitten. Thanks to all who offered help. To those people (and you know who you are) the drinks are on me!

 

[Flrman1]

Glad we could help!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".