my hijackthis log. my homepage repeating itself [CLOSED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

my hijackthis log. my homepage repeating itself [CLOSED], ive no idea of pc talk so i cant explain it...

Options

warrenschofield View Member Profile	Jul 7 2008, 10:26 AM Post #1
Member Posts: 11 OS: windows xp	New Member * Posts: 3 OS: windows xp ok...first off. this forum has so many different sections i have no idea if this is in the right one or if this topic is already on here...but i very much doubt that it is. also i have limited time since my homepage will pop up any second over this while im typing. ok...heres the problem. example.... im typing on here now.... all of a sudden my homepage GOOGLE will POP UP over the top....if i leave it...it will pop up again and again...opening MULTIPLE pages...ALL THE SAME. THIS HAPPENS ON BOTH FIREFOX AND I.E it doesnt happen every day....its random...could leave it a week and it starts again.... or i can restart and its ok.... then the next day it starts again. i went on the mozilla forum and nobody had a clue what i was talking about. i have searched the net to find anyone who has this problem aswell.....ive found NOBODY. i have a packard bell laptop. windows xp. i use AVG,i have spybot, index.dat analyzer. i save NO COOKIES,NO HISTORY.i use window washer .. so this is not a spyware problem at all.... surely somebody on here can help me cos i have no idea why this happens... it just happened now while i was typing here.... google.co.uk poped up right over this..... if id of left it it would of repeated itself. example.....if i was to go away from my pc for say 10 minutes i would come back to DOZENS of repeated open windows. IF ANYONE CAN HELP I WOULD SURELY APPRECIATE IT.... help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! upset.gif upset.gif upset.gif upset.gif upset.gif upset.gif upset.gif upset.gif upset.gif upset.gif i have since downloaded the following. superantispyware free edition. malwarebytes anti malware and yet it still happens. i have posted on several forums and not one person has any idea what is causing this to happen. please if you can help or even let me know if you are having this problem aswell.. everyone ive contacted cant work it out at all.

warrenschofield View Member Profile	Jul 8 2008, 06:33 AM Post #2
Member Posts: 11 OS: windows xp	how come this post was deleted? how am i supposed to know the name of this problem?if i knew that i would not be on here asking for help.

andrewuk View Member Profile	Jul 8 2008, 07:55 AM Post #3
Trusted Helper Posts: 2,905 From: London, UK OS: XP	Hi warrenschofield welcome to geekstogo before we get started.................. QUOTE how come this post was deleted? how am i supposed to know the name of this problem?if i knew that i would not be on here asking for help. as much to you as to anyone else who posts here. firstly, dont reply to your own post, the way we know that a post has not been picked up by another staff member is that there are zero replies to it. secondly, start your post with a hijackthis log as instructed here......i appreciate in your case windows are opening, so one way is to do the post in a notepad and then copy and paste it in and now....... Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. you may need to post the logs over 2 replies to ensure all the information is posted. andrewuk

warrenschofield View Member Profile	Jul 8 2008, 09:13 AM Post #5
Member Posts: 11 OS: windows xp	i have no idea what this lot means.all im concerned about is stopping my homepage from appearing full screen randomly when im online. please help. then delete my log as soon as possible cos that looks like a lot of pc info to just post on the net.ive no idea what stuff can be extracted from it,passwords etc .... but anyway. thanks for the tip..i ran that hijackthis programme but ive no idea what it did...

andrewuk View Member Profile	Jul 8 2008, 09:38 AM Post #6
Trusted Helper Posts: 2,905 From: London, UK OS: XP	i have merged your two posts, from here on in always reply to this thread. QUOTE i have no idea what this lot means. all im concerned about is stopping my homepage from appearing full screen randomly when im online. it is a scan of your machine showing me what programs are running, files created, registry entries etc. i need to see this to find the malware on your machine. QUOTE .........cos that looks like a lot of pc info to just post on the net.ive no idea what stuff can be extracted from it,passwords etc there is nothing confidential there.....you can read through it yourself, there are no passwords, email addresses etc QUOTE i ran that hijackthis programme but ive no idea what it did hijackthis and DSS are scanning tools, they do not fix anything on their own. ok, when i get home in a couple of hours i will sit down and analyse the log and come back with further instructions. andrewuk

warrenschofield View Member Profile	Jul 8 2008, 11:24 AM Post #7
Member Posts: 11 OS: windows xp	ok thanks... if you can figure it out your a superstar! cheers.

andrewuk View Member Profile	Jul 8 2008, 12:47 PM Post #8
Trusted Helper Posts: 2,905 From: London, UK OS: XP	in this post we will scan for an infection you may have had in the past but which may still have remnants present. ====STEP 1==== Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ====STEP 2==== Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm In your next reply could i see: 1. the smitfraudfix report The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts**. andrewuk

warrenschofield View Member Profile	Jul 8 2008, 01:49 PM Post #9
Member Posts: 11 OS: windows xp	SmitFraudFix v2.329 Scan done at 20:46:19.90, Tue 07/08/2008 Run from C:\Documents and Settings\warren schofield\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Washer\WasherSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe c:\APPS\Powercinema\Kernel\TV\CLSched.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\drivers\RMC.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ALCMTR.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Apps\Powercinema\PCMService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Labtec\moffice.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lexmark 3400 Series\ezprint.exe C:\Program Files\Labtec\MOUSE32A.DAT C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\SweetIM\Messenger\SweetIM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\lxcycoms.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\term.bat FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\warren schofield »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\warren schofield\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\WARREN~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="avgrsstx.dll" "LoadAppInit_DLLs"=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: ULi PCI Fast Ethernet Controller - Packet Scheduler Miniport DNS Server Search Order: 194.168.4.100 DNS Server Search Order: 194.168.8.100 HKLM\SYSTEM\CCS\Services\Tcpip\..\{5FC58199-4E92-499C-B28E-CF6EF51677C7}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS1\Services\Tcpip\..\{5FC58199-4E92-499C-B28E-CF6EF51677C7}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS3\Services\Tcpip\..\{5FC58199-4E92-499C-B28E-CF6EF51677C7}: DhcpNameServer=194.168.4.100 194.168.8.100 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

warrenschofield View Member Profile	Jul 8 2008, 01:54 PM Post #10
Member Posts: 11 OS: windows xp	ok.. theres the smitfraudfix info after id run that atf cleaner. hope you can help. as youl see ive now run. spybot,avg,smitfraudfix,anti-malware,superantspyware,windowwasher,index.dat analyzer.,hijackthis. and proberbly others ive forgotten.... in the past few hours the repeating homepage has not happened....but im expecting it. ok... cheers for all the help. much appreciated. thanks.

andrewuk View Member Profile	Jul 8 2008, 03:26 PM Post #11
Trusted Helper Posts: 2,905 From: London, UK OS: XP	in this post we will get rid of the final remnants of the smitfraud and do a couple of scans the scans will likely take 3 hours, quite possibly much longer. so just let them run. ====STEP 1==== You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, double-click on SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. ====STEP 2==== if you have not downloaded hijackthis then follow these instructions: Click here to download HJTInstall.exe Save HJTInstall.exe to your desktop. Doubleclick on the HJTInstall.exe icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. ====STEP 3==== Please re-open HiJackThis (double click on the desktop icon) and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. ====STEP 4==== Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE [kill explorer] C:\WINDOWS\Alcmtr.exe C:\WINDOWS\ORUN32.EXE C:\WINDOWS\system32\CMMGR32.EXE EmptyTemp purity [start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ====STEP 5==== Please do an online scan with Kaspersky WebScanner Click on Accept You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. In your next reply could i see: 1. the smitfraudfix log 2. the OTMoveIT log 3. the kaspersky log 4. a new hijackthis log (run the program and click Do a system scan and save a logfile) The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts. andrewuk

andrewuk View Member Profile	Jul 12 2008, 05:10 PM Post #12
Trusted Helper Posts: 2,905 From: London, UK OS: XP	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Malware Removal - HijackThis™ Logs Go Here · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: