superquestions
asked on
my browser was hijacked
1. 0websearch has been set as the start page. 2. I change the start page to about:blank, it changes back to 0websearch after a while. 3. I can't open txt files with notepad any longer. 4. When I hit CTRL + ALT + DEL, I see "Services" running on the bottom. 5. When I shut down "Services" and run Notepad or try to open a txt file, "Services" runs again.
Logfile of HijackThis v1.97.6
Scan saved at 06:16:04, on 31/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\SPOOL32. EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVG SERV9.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.E XE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\ STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY. EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVG CC32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.E XE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REAL SCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E XE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\WINDOWS\SYSTEM\PSTORES. EXE
C:\WINDOWS\SYSTEM\RNAAPP.E XE
C:\WINDOWS\SYSTEM\TAPISRV. EXE
C:\WINDOWS\INETDATA\SERVIC ES.EXE
C:\PROGRAMAS\HIJACK THIS!\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://0websearch.com/
F1 - win.ini: run=C:\WINDOWS\INETDATA\SE RVICES.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEH ELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\ARQUIV~1\SPYBOT~1\SDHEL PER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\arquivos de programas\google\googletoo lbar.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2 C6DB9D6433 3} - C:\WINDOWS\SYSTEM\ALXTB1.D LL (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-0 3CA8155F0B 3} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-4 4455354000 0} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\arquivos de programas\google\googletoo lbar.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor t\PCHSchd. exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\a vgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.ex e
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdat e.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real sched.exe" -osboot
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVIC ES.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\ StateMgr.e xe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\A vgserv9.ex e
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVIC ES.EXE
O8 - Extra context menu item: &Google Search - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO LBAR.DLL/c msearch.ht ml
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO LBAR.DLL/c mcache.htm l
O8 - Extra context menu item: Si&milar Pages - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO LBAR.DLL/c msimilar.h tml
O8 - Extra context menu item: Backward &Links - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO LBAR.DLL/c mbacklinks .html
O8 - Extra context menu item: Translate into English - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO LBAR.DLL/c mtrans.htm l
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Download with GetRight - C:\Programas\GetRight\GRdo wnload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programas\GetRight\GRbr owse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1068806402120
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {E37CB5F0-51F5-4395-A808-5 FA49E399F8 3} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-D A27278310D 8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-0 0104B98E2C 7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
Logfile of HijackThis v1.97.6
Scan saved at 06:16:04, on 31/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\MPREXE.E
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVG
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVG
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.E
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\REAL\UPDATE_OB\REAL
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\SYSTEM\PSTORES.
C:\WINDOWS\SYSTEM\RNAAPP.E
C:\WINDOWS\SYSTEM\TAPISRV.
C:\WINDOWS\INETDATA\SERVIC
C:\PROGRAMAS\HIJACK THIS!\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In
F1 - win.ini: run=C:\WINDOWS\INETDATA\SE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-0
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-4
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádi
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\a
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.ex
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdat
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVIC
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\A
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETDATA\SERVIC
O8 - Extra context menu item: &Google Search - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO
O8 - Extra context menu item: Si&milar Pages - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO
O8 - Extra context menu item: Backward &Links - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO
O8 - Extra context menu item: Translate into English - res://C:\ARQUIVOS DE PROGRAMAS\GOOGLE\GOOGLETOO
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Download with GetRight - C:\Programas\GetRight\GRdo
O8 - Extra context menu item: Open with GetRight Browser - C:\Programas\GetRight\GRbr
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {E37CB5F0-51F5-4395-A808-5
O16 - DPF: {D9CE2963-8547-4C18-A4CE-D
O16 - DPF: {DA4EB021-5F1C-11D4-B006-0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Spywareinfo/~merjin is down 90% of the time.
Theres a better mirror here for the link recommended above.
http://www.richardthelionhearted.com/~merijn/winfiles.html
Theres a better mirror here for the link recommended above.
http://www.richardthelionhearted.com/~merijn/winfiles.html
Install Lavasoft.de Adaware SE (its free)...run a scan and delete the files it finds. good sites to block the activex controls of alot of sites and restrict them are the registry files from http://spywareguide.com/blockfile.php (minimal download) and the ie-ads.reg and adult.reg from https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD. These registry files have helped keep me from getting alot of annoying popups and spyware. make sure you get the zip file from the bottom of the page.
install CW shredder and adaware
Also try spyware blaster http://www.javacoolsoftware.com/spywareblaster.html
I blocks a lot of browser hijacks
I blocks a lot of browser hijacks
ASKER
I deleted notepad again. Can you tell me where to get another notepad free from "Services"?