Hijacked Problem

[marcello]

I came home from work today, and my interent browser (IE) is seriously fvcked up. Everytime I try to go to any page it automatically redirects me to: http:/// which obviously is no good. When I hit the back button it just goes back to the bad place. If I hit it a few times, then it works and I can go to another page and repeat the process which is how I got here. You can't even begin to believe how frustrating this is. Anyways, I ran AdAware, nothing. I ran PC-cillin and got rid of any problems, still nothing. I was told to use HijackThis, and I did, but I don't know what are the bad files, can anyone tell me? Here is a paste of the log file:




Logfile of HijackThis v1.98.2
Scan saved at 5:34:55 PM, on 12/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\PopUp Killer\PopUpKiller.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\System32\utildll.exe
D:\Installers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkdks32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [utildll] C:\WINDOWS\System32\utildll.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

 

[mechBgon]

Looks like you need some Windows patching there. Also, are you running a firewall of some sort? And try a MBSA scan (see link in sig), you've probably got exploitable Admin-class accounts due to weak/blank passwords. If other people are using your computer, then make a Limited account that they can use. I recommend using a Limited account yourself too, it's like wearing your seatbelt.

Get the latest version of HJT and post the log results in Schadenfroh's thread up above. Looking at yours, as a first shot it would appear that you should start up in Safe Mode, empty your IE cache, disable System Restore, and kill these:

[*]C:\Program Files\2Wire\HomePortal\2PortalMon.exe (unless you know what this is, delete it and its directory)
[*]C:\WINDOWS\System32\winpack.exe
[*]C:\WINDOWS\System32\utildll.exe
[*]O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkdks32.exe
[*]O4 - HKCU\..\Run: [utildll] C:\WINDOWS\System32\utildll.exe
[*]O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

Also look through your Windows Services (right-click My Computer > Manage > Services and applications > Services) and stop & disable any that you can identify as alien. Doing this stuff may break your Internet, so also have this handy: LSPFix

[ / amateur Schadenfroh imitation ]

 

[dderolph]

I can't give you much advise on specific items in your Hijackthis list. I suggest doing a Google search on anything you're not sure about. For example, I searched on daemon.exe and found clear evidence it's spyware; see Daemon.exe definition, relationships, removal:.

I also suggest you download CCleaner and use it on your system.

 

[marcello]

Thanks a lot to both of you. The HomePortal thing is my internet connection here. Daemon is Daemon Tools which is a great program used to mount images on your computer instead of burning them.

Anyways, I followed your guys advice, and it fixed it up. Thanks a lot!! That was extremely frustrating, but now it's fixed :beer::beer:

 

[Jeff7]

http:/// ......ouch.

I say CoolWebSearch has your computer.
Try and run the standalone version of CWShredder

If CWShredder closes right away, download this utility first, to kill CoolWebSearch.SmartKiller. Then try CWShredder again.

Sometimes too, removing CWS will leave your computer unable to connect to the Internet. It's sort of like grabbing a lot of weeds and just ripping them out wholesale - sometimes you get some useful material, that can damage the garden. If you have no Internet access after removing CWS, use LSPfix to fix your computer's Winsock LSP chain.