[Please Help Me] -
Please Help Me
Discuss Please Help Me
Posted by: Fernando1378
Ok it seems my browser has been hijacked. I've already read that downloading HijackThis would be good, but theres a problem. On the Highjack This page, it says I should open it on its own, not through WinZip.
When I start the download it asks me if I want to Open it, or Save it. When I click Open, it opens it up with WinZip. When I click Save, it freezes at 99% and my computer crashes (did that about 5 times already). I'm not sure if thats the only problem though, because when I try to open Control Panel, my computer freezes. It does the same when I try to open My Computer.
I already have Spybot, Ad-Aware, and Spyware Blaster. I've run all of them and removed all the items that have come up but the problem is still there. I got Spybot to open on Windows start-up and there was a section labeled "Browser Pages". It said on there that if my browser had been hijacked, I could fix it there by changing my start-up pages back to what I had them. I changed them all back to [url]www.yahoo.com,[/url] but that didn't fix the problem. What do I do?!?1?:mad:
Posted by: DMo224
CWS will keep pages from loading that have HijackThis! on them, and may corrupt the downloads.
Get CWShredder and run it first. Then get HijackThis! and run it. If you want help with the logs, post them here.
[URL=http://www.majorgeeks.com/download4086.html]CWShredder from MajorGeeks[/URL]
[URL=http://209.133.47.200/~merijn/files/CWShredder.exe]CWShredder Direct download from Merijn[/URL]
[URL=http://www.spywareinfo.com/~merijn/downloads.html]Merijn Downloads page[/URL]
I hope that helps.
Dave :D
Posted by: Fernando1378
I'm not sure which ones to take off. I know the one starting with [url]http://jksearch.biz[/url] is part of the problem because when I open up IE, thats what it says at the top of the page. I've tried removing it before but it just reappears, so I'm guessing something else is in there that shouldn't be. So if you could please tell me which ones to take off, i'd really appreciate it.:)
of HijackThis v1.97.7
Scan saved at 7:52:12 PM, on 5/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\PWG7H9S5\HIJACKTHIS[1].EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = [url]www.yahoo.com[/url]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: [url]http://chat.msn.com[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - [url]http://www.wildtangent.com/install/wdriver/adrenaline/microsoft/wtinst.cab[/url]
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab[/url]
O16 - DPF: Yahoo! Checkers - [url]http://download.games.yahoo.com/games/clients/y/kt3_x.cab[/url]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - [url]http://chat.yahoo.com/cab/yacsui.cab[/url]
O16 - DPF: {162C79FA-1A40-417D-85C8-A98CDD1FD9CE} (VOGWeb Class) - [url]http://engine.vogclub.com/activex/VOGWEB.CAB[/url]
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - [url]http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab[/url]
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab[/url]
O16 - DPF: Yahoo! Towers 2.0 - [url]http://download.games.yahoo.com/games/clients/y/ywt0_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab[/url]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://download.yahoo.com/dl/installs/ymail/ymmapi.dll[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://download.yahoo.com/dl/installs/yab_af.cab[/url]
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - [url]http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab[/url]
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38126.7224189815[/url]
Posted by: tylertherobot
Wouldn't using spybot remedy this type of problem too? Or is my question totally unfounded and stupid?
Posted by: Fernando1378
I think it SHOULD, but it isn't. I've ran it so many times and nothing comes up anymore. I've removed everything it detects. Also have ran Ad Aware severtal times, but that isn't picking up anything new anymore either.
Posted by: Lobos
please make a folder for hijack this and put it in there
and goto add and remove programs and remove p2p networking
Posted by: Lobos
run hijack this put a check next to these close all browsers and click fix
Make sure not to miss one
[b]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - [url]http://www.wildtangent.com/install/...soft/wtinst.cab[/url]
[/b]
Next
Open [b]My Computer[/b]. Go to [b]Tools, Folder Options[/b] and click on the [b]View tab[/b]. Make sure that [b]"Show hidden files and folders"[/b] is checked. Also uncheck [b]"Hide protected operating system files"[/b]. Now click[b]"Apply to all folders"[/b]
Click [b]"Apply"[/b] then "OK
reboot into safe mode
[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406][b]How to boot into safe mode[/b][/url]
Delete what is in [b]Bold[/b]
C:\PROGRA~1\[b]LYCOS[/b] folder
C:\PROGRAM FILES\[b]MYWAY[/b] folder
C:\WINDOWS\[b]ALCHEM.exe[/b] file
then run [b]CWShredder[/b] again
Run it, press 'Fix', and allow it to fix all it finds.
And remember to click [b]"Fix" (Not "Scan only")[/b]
come back and post a fresh log
Posted by: jaun1477
You usually get infected because your security settings are too low.
1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.
2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.
3) Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.
4) Install Javacool's SpywareBlaster
It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
Don't forget to check for updates every week or so.
Posted by: jaun1477
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla
NOTE: The Notorious LOP foistware now creates random Browser plugin identifiers as well as file names.
They'll look something like this:
{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll
As the number of possible names and combinations could therefore literally run into the billions, I will no longer be adding LOP BHOs to the list.
Be watchful when running into unknown BHOs bearing these kinds of fancy names. If they're not on the list, and the file is located in the Application Data directory, it's almost certainly a LOP BHO
The same now goes for Adgoblin/InContext and WurldMedia Browser Plugins, and there are others. Here are some examples of random WurldMedia identifiers and file names:
{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll
and some semi-random ones:
{E0634852-5A3C-4E35-954C-17A0622F0BF8} - m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll
Posted by: Fernando1378
First of all, thank you all for your replies.. they're really helping :)
Next.. I've done all LobosBlanco said, up until the part where you said "delete what is in bold". Delete from where?? Do you mean like go to Find, type it in, and delete what comes up? I got stuck there, so if you could please specify, that'd help alot, thanks...
Posted by: Lobos
click on my computer icon goto these folders and file
or you can do a search for them its up to you
and delet them
C:\PROGRA~1\LYCOS folder
C:\PROGRAM FILES\MYWAY folder
and this file
C:\WINDOWS\ALCHEM.exe file
Posted by: Fernando1378
Ok, I did every single step again. Just like you said. Restarted the computer back on normal mode, opened up IE, and its still there :( .. If ya need me to post the scan results again, lemme know so I can do it. Thanks for the help though.:)
Posted by: Lobos
yes please do post another log
Posted by: Fernando1378
Logfile of HijackThis v1.97.7
Scan saved at 9:54:30 PM, on 5/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [url]http://jksearch.biz/redir.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = [url]www.yahoo.com[/url]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: [url]http://chat.msn.com[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab[/url]
O16 - DPF: Yahoo! Checkers - [url]http://download.games.yahoo.com/games/clients/y/kt3_x.cab[/url]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - [url]http://chat.yahoo.com/cab/yacsui.cab[/url]
O16 - DPF: {162C79FA-1A40-417D-85C8-A98CDD1FD9CE} (VOGWeb Class) - [url]http://engine.vogclub.com/activex/VOGWEB.CAB[/url]
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - [url]http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab[/url]
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab[/url]
O16 - DPF: Yahoo! Towers 2.0 - [url]http://download.games.yahoo.com/games/clients/y/ywt0_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab[/url]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://download.yahoo.com/dl/installs/ymail/ymmapi.dll[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://download.yahoo.com/dl/installs/yab_af.cab[/url]
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - [url]http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab[/url]
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38126.7224189815[/url]
There it is.
Posted by: Lobos
im looking into a solution for you the resposible file is not showing
try this
[url]http://216.239.37.104/translate_c?hl=en&u=http://www.wilderssecurity.com/showpost.php%3Fp%3D179502%26postcount%3D18&prev=/search%3Fq%3Dredir.php%26start%3D10%26hl%3Den%26lr%3D%26ie%3DUTF-8%26sa%3DN[/url]
Posted by: Fernando1378
Ok, I did what he said.. up until this part:
then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it
I found the file, but when I right click and delete, it says "Cannot delete system32: The specified file is being used by Windows". Would I be able to delete it if I start my computer under Safe Mode?
Posted by: Fernando1378
GREAT GREAT NEWS!!!..
After my last post, where I said "would I be able to delete it if I restart under Safe Mode".. I did just that.
Restarted under Safe Mode, Searched for "system32.dll" and deleted it. I then restarted under regular, went to Internet Option, changed it back to [url]www.yahoo.com[/url]
Then I opened HijackThis, Scan, removed all the ones that had "jksearch" and deleted all the backups. And I THINK I FIXED IT. I opened IE, and BAM!!, its on yahoo.com again. So I think i've fixed it. If not, you'll see another post from me in a little while (hopefully not).
I want to thank everybody for taking me step by step on fixing this. If it weren't for forums like this, I'd still be screwed and clueless on what to do, so THANK YOU ALL!!! :D
Posted by: Lobos
congratulations
now go here
alot of good information
[b]Read here[/b] [url=http://www.techsupportforum.com/showthread.php?s=&threadid=13891&forumid=50][b]How did I get infected in the first place[/b][/url]