Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

homepage yoursearcher and xmmoc

Started by synergie , Jul 30 2004 11:06 PM

  • Please log in to reply

#1
synergie
Posted 30 July 2004 - 11:06 PM

synergie

    New Member

  • Member
  • Pip
  • 2 posts
My homepage has been hijacked by yoursearcher and xmmoc. Can you please help me please. Thank you in advance for your time and effort. Here is the log.

Logfile of HijackThis v1.97.7
Scan saved at 2:52:11 PM, on 31/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cryl32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\msov32.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Steven\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmmoc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xmmoc.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xmmoc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmmoc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xmmoc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xmmoc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C98C7DCC-04E9-A6D9-A145-8EB7C6977CFE} - C:\WINDOWS\ipqe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ontsubf] C:\WINDOWS\System32\ontsubf.exe
O4 - HKLM\..\Run: [msov32.exe] C:\WINDOWS\system32\msov32.exe
O4 - HKLM\..\Run: [mfcgx32.exe] C:\WINDOWS\system32\mfcgx32.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [cryl32.exe] C:\WINDOWS\system32\cryl32.exe
O4 - HKLM\..\RunOnce: [sysqc.exe] C:\WINDOWS\sysqc.exe
O4 - HKLM\..\RunOnce: [msru.exe] C:\WINDOWS\system32\msru.exe
O4 - HKLM\..\RunOnce: [sdkdu.exe] C:\WINDOWS\system32\sdkdu.exe
O4 - HKLM\..\RunOnce: [msqs.exe] C:\WINDOWS\system32\msqs.exe
O4 - HKLM\..\RunOnce: [atlai.exe] C:\WINDOWS\system32\atlai.exe
O4 - HKLM\..\RunOnce: [sysnu.exe] C:\WINDOWS\system32\sysnu.exe
O4 - HKLM\..\RunOnce: [ieeo32.exe] C:\WINDOWS\system32\ieeo32.exe
O4 - HKLM\..\RunOnce: [javaas.exe] C:\WINDOWS\system32\javaas.exe
O4 - HKLM\..\RunOnce: [atlil32.exe] C:\WINDOWS\system32\atlil32.exe
O4 - HKLM\..\RunOnce: [atllq.exe] C:\WINDOWS\atllq.exe
O4 - HKLM\..\RunOnce: [netzl32.exe] C:\WINDOWS\netzl32.exe
O4 - HKLM\..\RunOnce: [ieal32.exe] C:\WINDOWS\system32\ieal32.exe
O4 - HKLM\..\RunOnce: [winyp.exe] C:\WINDOWS\system32\winyp.exe
O4 - HKLM\..\RunOnce: [iphj32.exe] C:\WINDOWS\iphj32.exe
O4 - HKLM\..\RunOnce: [nettm32.exe] C:\WINDOWS\nettm32.exe
O4 - HKLM\..\RunOnce: [ntxi.exe] C:\WINDOWS\system32\ntxi.exe
O4 - HKLM\..\RunOnce: [apigh.exe] C:\WINDOWS\system32\apigh.exe
O4 - HKLM\..\RunOnce: [apifb32.exe] C:\WINDOWS\system32\apifb32.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\crff32.exe
O4 - HKLM\..\RunOnce: [javajn32.exe] C:\WINDOWS\javajn32.exe
O4 - HKLM\..\RunOnce: [sysoy.exe] C:\WINDOWS\sysoy.exe
O4 - HKLM\..\RunOnce: [ippy32.exe] C:\WINDOWS\system32\ippy32.exe
O4 - HKLM\..\RunOnce: [mfctq32.exe] C:\WINDOWS\system32\mfctq32.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\winvd.exe
O4 - HKLM\..\RunOnce: [ieml.exe] C:\WINDOWS\ieml.exe
O4 - HKLM\..\RunOnce: [appry32.exe] C:\WINDOWS\appry32.exe
O4 - HKLM\..\RunOnce: [atlgz32.exe] C:\WINDOWS\atlgz32.exe
O4 - HKLM\..\RunOnce: [crzj.exe] C:\WINDOWS\crzj.exe
O4 - HKLM\..\RunOnce: [msfr.exe] C:\WINDOWS\system32\msfr.exe
O4 - HKLM\..\RunOnce: [crgi32.exe] C:\WINDOWS\system32\crgi32.exe
O4 - HKLM\..\RunOnce: [winiq32.exe] C:\WINDOWS\winiq32.exe
O4 - HKLM\..\RunOnce: [appgj32.exe] C:\WINDOWS\system32\appgj32.exe
O4 - HKLM\..\RunOnce: [javayr32.exe] C:\WINDOWS\javayr32.exe
O4 - HKLM\..\RunOnce: [sdkiv.exe] C:\WINDOWS\system32\sdkiv.exe
O4 - HKLM\..\RunOnce: [sysjy.exe] C:\WINDOWS\system32\sysjy.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{075E72FF-ADB4-4742-BBBB-54FF49EEC1ED}: NameServer = 203.12.160.35 203.12.160.36


Cheers <_<
  • 0

Advertisements

#2
ditto
Posted 31 July 2004 - 05:02 AM

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Have you tried running Ad-Aware? Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file following these instuctions. (and you must always do this before you run the program at any later date).

Now do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Run Hijack This again and post back a fresh log.
  • 0

#3
synergie
Posted 31 July 2004 - 11:28 PM

synergie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
This is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 3:07:12 PM, on 1/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cryl32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\msov32.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Documents and Settings\Steven\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yoursearcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmmoc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xmmoc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C98C7DCC-04E9-A6D9-A145-8EB7C6977CFE} - C:\WINDOWS\ipqe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ontsubf] C:\WINDOWS\System32\ontsubf.exe
O4 - HKLM\..\Run: [msov32.exe] C:\WINDOWS\system32\msov32.exe
O4 - HKLM\..\Run: [mfcgx32.exe] C:\WINDOWS\system32\mfcgx32.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [cryl32.exe] C:\WINDOWS\system32\cryl32.exe
O4 - HKLM\..\RunOnce: [sysqc.exe] C:\WINDOWS\sysqc.exe
O4 - HKLM\..\RunOnce: [msru.exe] C:\WINDOWS\system32\msru.exe
O4 - HKLM\..\RunOnce: [sdkdu.exe] C:\WINDOWS\system32\sdkdu.exe
O4 - HKLM\..\RunOnce: [msqs.exe] C:\WINDOWS\system32\msqs.exe
O4 - HKLM\..\RunOnce: [atlai.exe] C:\WINDOWS\system32\atlai.exe
O4 - HKLM\..\RunOnce: [sysnu.exe] C:\WINDOWS\system32\sysnu.exe
O4 - HKLM\..\RunOnce: [ieeo32.exe] C:\WINDOWS\system32\ieeo32.exe
O4 - HKLM\..\RunOnce: [javaas.exe] C:\WINDOWS\system32\javaas.exe
O4 - HKLM\..\RunOnce: [atlil32.exe] C:\WINDOWS\system32\atlil32.exe
O4 - HKLM\..\RunOnce: [atllq.exe] C:\WINDOWS\atllq.exe
O4 - HKLM\..\RunOnce: [netzl32.exe] C:\WINDOWS\netzl32.exe
O4 - HKLM\..\RunOnce: [ieal32.exe] C:\WINDOWS\system32\ieal32.exe
O4 - HKLM\..\RunOnce: [winyp.exe] C:\WINDOWS\system32\winyp.exe
O4 - HKLM\..\RunOnce: [iphj32.exe] C:\WINDOWS\iphj32.exe
O4 - HKLM\..\RunOnce: [nettm32.exe] C:\WINDOWS\nettm32.exe
O4 - HKLM\..\RunOnce: [ntxi.exe] C:\WINDOWS\system32\ntxi.exe
O4 - HKLM\..\RunOnce: [apigh.exe] C:\WINDOWS\system32\apigh.exe
O4 - HKLM\..\RunOnce: [apifb32.exe] C:\WINDOWS\system32\apifb32.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\crff32.exe
O4 - HKLM\..\RunOnce: [javajn32.exe] C:\WINDOWS\javajn32.exe
O4 - HKLM\..\RunOnce: [sysoy.exe] C:\WINDOWS\sysoy.exe
O4 - HKLM\..\RunOnce: [ippy32.exe] C:\WINDOWS\system32\ippy32.exe
O4 - HKLM\..\RunOnce: [mfctq32.exe] C:\WINDOWS\system32\mfctq32.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\winvd.exe
O4 - HKLM\..\RunOnce: [ieml.exe] C:\WINDOWS\ieml.exe
O4 - HKLM\..\RunOnce: [appry32.exe] C:\WINDOWS\appry32.exe
O4 - HKLM\..\RunOnce: [atlgz32.exe] C:\WINDOWS\atlgz32.exe
O4 - HKLM\..\RunOnce: [crzj.exe] C:\WINDOWS\crzj.exe
O4 - HKLM\..\RunOnce: [msfr.exe] C:\WINDOWS\system32\msfr.exe
O4 - HKLM\..\RunOnce: [crgi32.exe] C:\WINDOWS\system32\crgi32.exe
O4 - HKLM\..\RunOnce: [winiq32.exe] C:\WINDOWS\winiq32.exe
O4 - HKLM\..\RunOnce: [appgj32.exe] C:\WINDOWS\system32\appgj32.exe
O4 - HKLM\..\RunOnce: [javayr32.exe] C:\WINDOWS\javayr32.exe
O4 - HKLM\..\RunOnce: [sdkiv.exe] C:\WINDOWS\system32\sdkiv.exe
O4 - HKLM\..\RunOnce: [sysjy.exe] C:\WINDOWS\system32\sysjy.exe
O4 - HKLM\..\RunOnce: [ntki.exe] C:\WINDOWS\system32\ntki.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

cheers. <_<
  • 0

#4
admin
Posted 02 August 2004 - 07:56 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Hello please download About:Buster and unzip it to your desktop. Start it, hit update, when finsihed click Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Download About:Buster here: http://www.geekstogo...=download&id=25
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP