browser highjack

[Coro Dominicano]

Could someone instruct me what to do, having highjacked sindromes. Here is my Highjack This Log




Logfile of HijackThis v1.98.2
Scan saved at 10:11:22 AM, on 9/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\SYSGA.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOTUS\SMARTCTR\SMARTCTR.EXE
C:\PROGRAM FILES\LOTUS\SMARTCTR\SUITEST.EXE
C:\PROGRAM FILES\QUICKEN\QWDLLS.EXE
C:\WINDOWS.000\WEBSHOTS.SCR
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INVOICES\TRACKER.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C5E76A8F-AA45-4788-6802-0A8B7624FBA5} - C:\WINDOWS.000\ATLQH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tkfuxmle] C:\WINDOWS.000\SYSTEM\vbrojyyv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SYSGA.EXE] C:\WINDOWS.000\SYSGA.EXE
O4 - Startup: Lotus SmartCenter.lnk = C:\Program Files\lotus\smartctr\smartctr.exe
O4 - Startup: Lotus SuiteStart.lnk = C:\Program Files\lotus\smartctr\suitest.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\BILLMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ww/games3.cab

 

[Coro Dominicano]

Someone?

 

[skreet]

Well, reboot into safemode and remove all the highjacks that dont look like you put them there, all the Interenet explorer helpers and search toolbards.

 

[Schadenfroh]

Hello Coro Dominicano,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Reboot into safe mode
3. Close all browsers/windows explorer

fix the following in hijackthis(kill the process in process viewer, if its there)

• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\system\luswf.dll/sp.html#12802
• R3 - Default URLSearchHook is missing
• O2 - BHO: Class - {C5E76A8F-AA45-4788-6802-0A8B7624FBA5} - C:\WINDOWS.000\ATLQH.DLL
• O4 - HKLM\..\Run: [tkfuxmle] C:\WINDOWS.000\SYSTEM\vbrojyyv.exe
• O4 - HKLM\..\RunServices: [SYSGA.EXE] C:\WINDOWS.000\SYSGA.EXE
• O15 - Trusted Zone: *.05p.com
• O15 - Trusted Zone: *.searchmiracle.com
• O15 - Trusted Zone: *.clickspring.net
• O15 - Trusted Zone: *.mt-download.com
• O15 - Trusted Zone: *.my-internet.info
• O15 - Trusted Zone: *.scoobidoo.com
• O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
  

Additional Steps

1. Clear your Temporary Files
2. Run About:Buster
3. Delete the following files: "C:\WINDOWS.000\SYSTEM\vbrojyyv.exe", "C:\WINDOWS.000\SYSGA.EXE"
4. Restart into normal windows

Notes

• 
  1. You are infected with the dreaded about:blank hijack, about:buster will cure that.