Please help me get rid of a hijacker!

Discussion in 'Computer Support' started by the.tall.hobbit, Nov 21, 2004.

  1. Hello there,

    I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
    problem.

    I have updated and run both Spybot 1.3, and Adaware SE and have also
    detected and deleted some infected files with AVG.

    But the Spybot Resident keeps telling me that the browser homepage has been
    changed. ie from www.loads of gibberish directing to mywebsearch.com to
    www.moreloadsof gibberish directing me to the same place.

    No matter how many times I hit the "deny change" it still pops up a couple
    of minutes later.

    I have also run hijackthis and came up with the following log.

    Logfile of HijackThis v1.98.2
    Scan saved at 21:51:24, on 21/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\configldr.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Tiscali\tkonnect\tkonnect.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\karen\Desktop\Downloaded
    Items\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://web.fffqjzylmemt.com/W7CfjWMQyJoXHnBLlS4tvKaUIchhFTNMuFRlUEoh5kFlD7U9bykcnLu4Kkh86_YJ.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.oirrhkcvhgvo.com/W7CfjWMQyJoejZhiK4BLHPTQRoo37a37X1IZnEUnD44.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Tiscali
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -
    C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
    files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
    O4 - HKLM\..\Run: [QuickTime Task]
    "C:\WINDOWS\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
    settings\temp\qBbgt.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]
    "C:\WINDOWS\System32\midbkend.exe"
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
    Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
    O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe"
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [tkonnect] C:\Program Files\Tiscali\tkonnect\tkonnect.exe
    updatemode
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
    Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
    soap fast.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
    3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
    /background
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program
    Files\Nikon\NkView6\NkvMon.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmtrans.html
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
    Player 2K2) - http://www.napster.co.uk/client/setup.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101061670937
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    END LOGFILE

    I hope some can help me out there!!

    Thanks for your time
    Karen
     
    the.tall.hobbit, Nov 21, 2004
    #1
    1. Advertising

  2. the.tall.hobbit

    pcbutts1 Guest

    Have Hijackthis fix the following lines, then go to
    http://windowsupdate.microsoft.com and download and install all the critical
    updates. You have running something called mslaugh.exe which is part of the
    blaster worm. You need the MS updates to block it. Why your antivirus did
    not pick it up I don't know. You will have a choice to install SP2 I suggest
    you do it. If not then get all the other updates.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://web.fffqjzylmemt.com/W7CfjWMQyJoXHnBLlS4tvKaUIchhFTNMuFRlUEoh5kFlD7U9bykcnLu4Kkh86_YJ.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.oirrhkcvhgvo.com/W7CfjWMQyJoejZhiK4BLHPTQRoo37a37X1IZnEUnD44.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.tiscali.co.uk/
    O2 - BHO: (no name) -
    {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.exe

    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
    O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
    settings\temp\qBbgt.exe
    O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]"C:\WINDOWS\System32\midbkend.exe"
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
    Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe

    O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
    soap fast.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
    Player 2K2) - http://www.napster.co.uk/client/setup.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101061670937
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    Class) -
    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab


    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    Sharpvision simply the best http://www.seedsv.com



    "the.tall.hobbit" <> wrote
    in message news:...
    > Hello there,
    >
    > I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
    > problem.
    >
    > I have updated and run both Spybot 1.3, and Adaware SE and have also
    > detected and deleted some infected files with AVG.
    >
    > But the Spybot Resident keeps telling me that the browser homepage has
    > been
    > changed. ie from www.loads of gibberish directing to mywebsearch.com to
    > www.moreloadsof gibberish directing me to the same place.
    >
    > No matter how many times I hit the "deny change" it still pops up a couple
    > of minutes later.
    >
    > I have also run hijackthis and came up with the following log.
    >
     
    pcbutts1, Nov 21, 2004
    #2
    1. Advertising

  3. the.tall.hobbit

    °Mike° Guest

    On Sun, 21 Nov 2004 22:14:49 -0000, in
    <>
    the.tall.hobbit scrawled:

    >Hello there,
    >
    >I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
    >problem.
    >
    >I have updated and run both Spybot 1.3, and Adaware SE and have also
    >detected and deleted some infected files with AVG.
    >
    >But the Spybot Resident keeps telling me that the browser homepage has been
    >changed. ie from www.loads of gibberish directing to mywebsearch.com to
    >www.moreloadsof gibberish directing me to the same place.
    >
    >No matter how many times I hit the "deny change" it still pops up a couple
    >of minutes later.
    >
    >I have also run hijackthis and came up with the following log.
    >
    >Logfile of HijackThis v1.98.2
    >Scan saved at 21:51:24, on 21/11/2004
    >Platform: Windows XP SP1 (WinNT 5.01.2600)
    >MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    >Running processes:


    <snip>

    >C:\WINDOWS\System32\configldr.exe


    You are infected with the Agobot worm.
    End task the above process (CTRL+ALT+DEL).

    Remove the following entries from your
    registry (Start / Run / regedit):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Configuration Loading = configldr.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    Configuration Loading = configldr.exe

    Scan your system with UP TO DATE antivirus, and at least
    two online scanners.

    Online Antivirus scanners:
    ================
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www3.ca.com/virusinfo/virusscan.aspx
    http://security.symantec.com/sscv6/default.asp
    http://us.mcafee.com/root/mfs/default.asp


    >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >http://web.fffqjzylmemt.com/W7CfjWMQyJoXHnBLlS4tvKaUIchhFTNMuFRlUEoh5kFlD7U9bykcnLu4Kkh86_YJ.html


    Have HijackThis fix the above.


    >R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    >http://www.oirrhkcvhgvo.com/W7CfjWMQyJoejZhiK4BLHPTQRoo37a37X1IZnEUnD44.html


    Have HijackThis fix the above.


    >O2 - BHO: (no name) - {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -
    >C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\bluebows.exe


    Unless you know what "bluebows.exe" is, have HijackThis
    fix the above.


    >O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe


    You are also infected with the BLASTER worm!
    See the end for details of how to remove.


    >O4 - HKLM\..\Run: [Configuration Loader] configldr.exe


    Have HijackThis fix the above.


    >O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
    >settings\temp\qBbgt.exe


    Have HijackThis fix the above. Boot into Safe Mode and empty
    your "local settings\temp" folder. See my signature.


    >O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    >O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe


    Another nail in the coffin of AVG! AVG is CRAP. Remove it
    and protect yourself with an antivirus that actually works:

    Anti-virus programs:
    --------------------
    KAV (Kaspersky)
    http://www.kaspersky.com/

    Sophos
    http://www.sophos.com/products/sav/


    >O4 - HKLM\..\Run: [AutoLoaderxsrk1KNjIRXP]
    >"C:\WINDOWS\System32\midbkend.exe"


    Have HijackThis fix the above.


    >O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"


    Adware. Have HijackThis fix the above.


    >O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
    >Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe


    Unless you know what the above is, have HijackThis fix it.
    Look at the names.


    >O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe


    Have HijackThis fix the above.


    >O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
    >soap fast.exe


    Unless you know what the above is, have HijackThis fix it.
    Look at the names.


    >O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
    >Player 2K2) - http://www.napster.co.uk/client/setup.exe


    This (napster) is probably where you have been infected from.


    >END LOGFILE
    >
    >I hope some can help me out there!!
    >
    >Thanks for your time
    >Karen



    BLASTER REMOVAL:

    Boot into Safe Mode and start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    MSBLAST.EXE, PENIS32.EXE, TEEKIDS.EXE, MSPATCH.EXE,
    MSLAUGH.EXE, ENBIEI.EXE, ESCHLP.EXE or TFTP.EXE .
    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - msblast.exe
    Variant B - penis32.exe
    Variant C - teekids.exe
    Variant D - mspatch.exe
    Variant E - mslaugh.exe
    Variant F - enbiei.exe
    Variant G (aka T) - eschlp.exe & svchosthlp.exe
    Variant H (aka K) - mschost.exe & tftp.exe

    You just disabled the worm from running at startup, so boot into
    normal mode again, and turn off ALL system restores to purge
    your system.

    Open Windows Explorer to the ..\Windows\System32\ or
    ...\WinNT\System32\ folder and DELETE *any* of the
    files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    and find the reference to the above file/s (any reference will
    be similar to: <filename.exe>-<alphanumerics>.PF), for example,
    msblast.exe-0235D8H6.pf, and DELETE it/them.

    Now you can download and install the patch, configure your
    firewall and update your virus scanner.

    Virus Alert About the Blaster Worm and Its Variants
    http://support.microsoft.com/default.aspx?kbid=826955

    Microsoft Security Bulletin MS03-026
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

    What you should know about the Blaster worm
    http://www.microsoft.com/security/incident/blast.asp

    Windows RPC DCOM Buffer Overflow Remote Exploit (MS03-026)
    http://www.k-otik.com/exploits/07.25.winrpcdcom.c.php

    How to Use The KB 823980 Scanning Tool to Identify Host Computers
    That Do Not Have The 823980 Security Patch (MS03-026) Installed
    http://support.microsoft.com/default.aspx?kbid=826369

    W32.Blaster.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    W32.Blaster.B.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html

    W32.Blaster.C.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

    W32.Blaster.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.d.worm.html

    W32.Blaster.E.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.e.worm.html

    W32.Blaster.F.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.f.worm.html

    W32.Blaster.T.Worm (aka G)
    http://www.symantec.com/avcenter/venc/data/w32.blaster.t.worm.html

    W32.Blaster.K.Worm (aka H)
    http://www.symantec.com/avcenter/venc/data/w32.blaster.k.worm.html

    W32.Blaster.Worm Removal Tool
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html





    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Nov 21, 2004
    #3
  4. the.tall.hobbit

    Pennywise Guest

    On Sun, 21 Nov 2004 22:14:49 -0000, "the.tall.hobbit"
    <> wrote:

    |>Hello there,
    |>
    |>I'm running xp pro, and I appear to have got a homepage hijacker/searchbar
    |>problem.
    |>
    |>I have also run hijackthis and came up with the following log.

    You've got some work ahead of you that's for sure.
    Paste your Hijackthis log here:
    http://hijackthis.de/index.php?langselect=english
    and go from there.
     
    Pennywise, Nov 22, 2004
    #4
  5. thanks all, lots to do then!

    I'll post back with updates etc
    karen
     
    the.tall.hobbit, Nov 22, 2004
    #5
  6. the.tall.hobbit

    nemo Guest

    Why not call this guy stupid too? After all - he picked up a virus!

    pcbutts1 <> wrote in message
    news:EV8od.24601$...
    > Have Hijackthis fix the following lines, then go to
    > http://windowsupdate.microsoft.com and download and install all the

    critical
    > updates. You have running something called mslaugh.exe which is part of

    the
    > blaster worm. You need the MS updates to block it. Why your antivirus did
    > not pick it up I don't know. You will have a choice to install SP2 I

    suggest
    > you do it. If not then get all the other updates.
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >

    http://web.fffqjzylmemt.com/W7CfjWMQyJoXHnBLlS4tvKaUIchhFTNMuFRlUEoh5kFlD7U9
    bykcnLu4Kkh86_YJ.html
    > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    >

    http://www.oirrhkcvhgvo.com/W7CfjWMQyJoejZhiK4BLHPTQRoo37a37X1IZnEUnD44.html
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    > http://www.tiscali.co.uk/
    > O2 - BHO: (no name) -
    >

    {C8C035F9-9FE3-3BF7-5E89-1FA18189960E} -C:\DOCUME~1\karen\APPLIC~1\SECTLI~1\
    bluebows.exe
    >
    > O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    > O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
    > O4 - HKLM\..\Run: [qBbgt] C:\documents and settings\karen\local
    > settings\temp\qBbgt.exe
    > O4 - HKLM\..\Run:

    [AutoLoaderxsrk1KNjIRXP]"C:\WINDOWS\System32\midbkend.exe"
    > O4 - HKLM\..\Run: [AutoUpdater] "C:\Program

    Files\AutoUpdate\AutoUpdate.exe"
    > O4 - HKLM\..\Run: [real coal flap date] C:\Documents and Settings\All
    > Users.WINDOWS\Application Data\Spam Cdrom Real Coal\BowsOnce.exe
    >
    > O4 - HKCU\..\Run: [Bird Funk] C:\DOCUME~1\karen\APPLIC~1\TYPEBI~1\window
    > soap fast.exe
    > O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
    > O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    > Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    > O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
    > Player 2K2) - http://www.napster.co.uk/client/setup.exe
    > O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    >

    http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
    web_site.cab?1101061670937
    > O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    > Class) -
    > http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    >
    >
    > --
    >
    >
    > The best live web video on the internet http://www.seedsv.com/webdemo.htm
    > Sharpvision simply the best http://www.seedsv.com
    >
    >
    >
    > "the.tall.hobbit" <>

    wrote
    > in message news:...
    > > Hello there,
    > >
    > > I'm running xp pro, and I appear to have got a homepage

    hijacker/searchbar
    > > problem.
    > >
    > > I have updated and run both Spybot 1.3, and Adaware SE and have also
    > > detected and deleted some infected files with AVG.
    > >
    > > But the Spybot Resident keeps telling me that the browser homepage has
    > > been
    > > changed. ie from www.loads of gibberish directing to mywebsearch.com to
    > > www.moreloadsof gibberish directing me to the same place.
    > >
    > > No matter how many times I hit the "deny change" it still pops up a

    couple
    > > of minutes later.
    > >
    > > I have also run hijackthis and came up with the following log.
    > >

    >
    >
     
    nemo, Nov 22, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. punty

    How do I get rid of browser hijacker?

    punty, Nov 7, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    4,882
    punty
    Nov 7, 2004
  2. Robert

    Advice please-browser hijacker..

    Robert, Dec 30, 2004, in forum: Computer Security
    Replies:
    12
    Views:
    785
    winged
    Jan 19, 2005
  3. Starman

    Hijacker help

    Starman, Mar 26, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    520
    donnie
    Mar 29, 2005
  4. tony

    PLEASE, PLEASE HELP ME GET RID OF SPYWARE

    tony, Aug 4, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    701
  5. Google search hijacker help.

    , Dec 27, 2008, in forum: Computer Information
    Replies:
    2
    Views:
    1,323
    gnu / linux
    Dec 28, 2008
Loading...

Share This Page