# [Solved] Jacked by http://213.159.117.134/index.php



## medassist101 (Aug 6, 2004)

I am sorry to see that I am not the only one who has been jacked by them. However, I hope you all can help.
I have Windows ME. I updated my OS two days ago, funny that it was a few days too late.
Today I downloaded HiJackThis, and this is the scan. (note: I have checked the boxes containing http://213.159.117.134/index.php but of course it continues to show its evil face 

Logfile of HijackThis v1.97.7
Scan saved at 6:09:09 PM, on 8/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DOWNLOADS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38166.1857407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

All help is greatly appreciated. I just want to shake this thing. It even has SpyBot S&D and Browser HiJack Blaster programs thinking it is the correct setting for my browser.
Thanks a bunch!


----------



## Styxx (Sep 8, 2001)

Run HJT, click Scan, put checkmarks by the following and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Then close all open programs and restart your computer.


----------



## medassist101 (Aug 6, 2004)

Styxx, Ok, now that I did that do I just go to Tools, Internet Options and change the homepage? The reason I ask is, after the restart, homepage went back to http://213.159.117.134/index.php.
I think it may be deeper in the system. The same time I noticed this hijacking the AVG antivirus detected a Trojan horse Dropper.Small.5.AT and then after I healed this one I opened my browser to http://213.159.117.134/index.php. and got another Trojan horse Downloader.Small.6.1.
So, what else can I supply you with to help?


----------



## Styxx (Sep 8, 2001)

try the five day trial via the colored link below.


----------



## medassist101 (Aug 6, 2004)

Ok I have the trial on the BPS Spyware Remover. Here is the log I saved this morning.
http://213.159.117.134/index.php is now the IE defalt. I am so annoyed.
Can you see anything else that needs fixing?

Running Processes:
-----------------

#1: [KERNEL32.DLL]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4293891357
Priority: High
File Size: 524 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1991-2000
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:32:05 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#2: [KERNEL32.DLL]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4294956029
Priority: Normal
File Size: 524 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1991-2000
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:32:05 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#3: [KERNEL32.DLL]
File Path: C:\WINDOWS\SYSTEM\KERNEL32.DLL
ProcessID: 4294865905
Priority: Normal
File Size: 524 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1991-2000
Company Name: Microsoft Corporation
File Description: Win32 Kernel core component
Internal Name: KERNEL32
Original Filename: KERNEL32.DLL
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:32:05 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#4: [MPREXE.EXE]
File Path: C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID: 4294867405
Priority: Normal
File Size: 28 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1993-2000
Company Name: Microsoft Corporation
File Description: WIN32 Network Interface Service Process
Internal Name: MPREXE
Original Filename: MPREXE.EXE
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:33:39 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#5: [MSTASK.EXE]
File Path: C:\WINDOWS\SYSTEM\MSTASK.EXE
ProcessID: 4294879757
Priority: Normal
File Size: 124 KB
Version: 4.71.1964.1
File Version: 4.71.2721.1
Product Version: 4.71.2721.1
Copyright: Copyright (C) Microsoft Corp. 2000
Company Name: Microsoft Corporation
File Description: Task Scheduler Engine
Internal Name: TaskScheduler
Original Filename: mstask.exe
Product Name: Microsoft® Windows® Task Scheduler
Created on: 6/27/2004 11:33:41 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#6: [AVGSERV9.EXE]
File Path: C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
ProcessID: 4294901641
Priority: Normal
File Size: 20 KB
Version: 6.0.1.374
File Version: 6.0.1.374
Product Version: 6.0.1.374
Copyright: Copyright (c) GRISOFT, s.r.o. 1998-2002
Company Name: GRISOFT, s.r.o
File Description: AvgServ - displays notification message
Internal Name: AvgServ
Original Filename: AvgServ
Product Name: AVG6
Created on: 6/28/2004 12:26:52 AM
Last accessed: 8/8/2004
Last modified: 1/21/2003 6:00:00 AM

#7: [EXPLORER.EXE]
File Path: C:\WINDOWS\EXPLORER.EXE
ProcessID: 4292949317
Priority: Normal
File Size: 220 KB
Version: 5.50.4134.100
File Version: 5.50.4134.100
Product Version: 5.50.4134.100
Copyright: Copyright (C) Microsoft Corp. 1981-2000
Company Name: Microsoft Corporation
File Description: Windows Explorer
Internal Name: explorer
Original Filename: EXPLORER.EXE
Product Name: Microsoft(R) Windows (R) 2000 Operating System
Created on: 6/27/2004 11:24:30 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#8: [TASKMON.EXE]
File Path: C:\WINDOWS\TASKMON.EXE
ProcessID: 4292986725
Priority: Normal
File Size: 28 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1998
Company Name: Microsoft Corporation
File Description: Task Monitor
Internal Name: TaskMon
Original Filename: TASKMON.EXE
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:33:47 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#9: [SYSTRAY.EXE]
File Path: C:\WINDOWS\SYSTEM\SYSTRAY.EXE
ProcessID: 4292879785
Priority: Normal
File Size: 36 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1993-2000
Company Name: Microsoft Corporation
File Description: System Tray Applet
Internal Name: SYSTRAY
Original Filename: SYSTRAY.EXE
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:33:47 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#10: [STMGR.EXE]
File Path: C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
ProcessID: 4292876945
Priority: Normal
File Size: 60 KB
Version: 4.90.0.2533
File Version: 4.90.0.2533
Product Version: 4.90.0.2533
Copyright: Copyright (C) Microsoft Corp. 1981-2000
Company Name: Microsoft Corporation
File Description: Microsoft (R) PC State Manager
Internal Name: StateMgr.exe
Original Filename: StateMgr.exe
Product Name: Microsoft (r) PCHealth
Created on: 6/27/2004 11:33:47 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#11: [AVGCC32.EXE]
File Path: C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
ProcessID: 4292916637
Priority: Normal
File Size: 337 KB
Version: 6.0.0.515
File Version: 6, 0, 0, 515
Product Version: 6, 0, 0, 0
Copyright: Copyright © 2003 GRISOFT s.r.o.
Company Name: GRISOFT s.r.o.
File Description: AVG Control Center
Internal Name: AvgCC32
Original Filename: AvgCC32.EXE
Product Name: AVG Anti-Virus System
Created on: 6/29/2004 9:44:46 PM
Last accessed: 8/8/2004
Last modified: 6/29/2004 9:44:48 PM

#12: [MIXER.EXE]
File Path: C:\WINDOWS\MIXER.EXE
ProcessID: 4294898765
Priority: Normal
File Size: 1776 KB
Version: 1.5.8.0
File Version: 1.58
Product Version: 1.58
Copyright: Copyright (C) 1997-2002
Company Name: C-Media Electronic Inc. (www.cmedia.com.tw)
File Description: Mixer
Internal Name: Mixer
Original Filename: Mixer.EXE
Product Name: Mixer
Created on: 7/3/2004 8:55:17 AM
Last accessed: 8/8/2004
Last modified: 10/15/2002 6:00:20 PM

#13: [HPOOPM07.EXE]
File Path: C:\WINDOWS\SYSTEM\HPOOPM07.EXE
ProcessID: 4292909273
Priority: Normal
File Size: 60 KB
Created on: 7/22/2004 9:45:17 PM
Last accessed: 8/8/2004
Last modified: 1/24/2001 5:16:30 PM

#14: [WMIEXE.EXE]
File Path: C:\WINDOWS\SYSTEM\WMIEXE.EXE
ProcessID: 4292914713
Priority: Normal
File Size: 16 KB
Version: 4.90.2452.0
File Version: 4.90.2452.1
Product Version: 4.90.2452.1
Copyright: Copyright (C) Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
File Description: WMI service exe housing
Internal Name: wmiexe
Original Filename: wmiexe.exe
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:33:51 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#15: [HPODEV07.EXE]
File Path: C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
ProcessID: 4292927093
Priority: Normal
File Size: 272 KB
Version: 2.0.0.0
File Version: 2.00
Product Version: A.12.00.16
Copyright: Copyright (C) Hewlett-Packard Co. 1995-2000
Company Name: Hewlett-Packard Co.
File Description: HP OfficeJet COM Device Objects
Internal Name: HPODEV07
Original Filename: HPODEV07.EXE
Product Name: hp psc 700 series
Created on: 7/22/2004 9:44:51 PM
Last accessed: 8/8/2004
Last modified: 1/24/2001 2:29:56 PM

#16: [SPOOL32.EXE]
File Path: C:\WINDOWS\SYSTEM\SPOOL32.EXE
ProcessID: 4293094185
Priority: Normal
File Size: 44 KB
Version: 4.90.0.3000
File Version: 4.90.3000
Product Version: 4.90.3000
Copyright: Copyright (C) Microsoft Corp. 1994 - 1998
Company Name: Microsoft Corporation
File Description: Spooler Sub System Process
Internal Name: spool32
Original Filename: spool32.exe
Product Name: Microsoft(R) Windows(R) Millennium Operating System
Created on: 6/27/2004 11:33:46 PM
Last accessed: 8/8/2004
Last modified: 6/8/2000 5:00:00 PM

#17: [HPOEVM07.EXE]
File Path: C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
ProcessID: 4293023361
Priority: Normal
File Size: 292 KB
Version: 1.0.0.0
File Version: 1.00
Product Version: A.12.00.16
Copyright: Copyright (C) Hewlett-Packard Co. 1995-2000
Company Name: Hewlett-Packard Co.
File Description: HP OfficeJet COM Event Manager
Internal Name: HPOEVM07
Original Filename: HPOEVM07.EXE
Product Name: hp psc 700 series
Created on: 7/22/2004 9:44:52 PM
Last accessed: 8/8/2004
Last modified: 1/24/2001 2:56:12 PM

#18: [HPOSTS07.EXE]
File Path: C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
ProcessID: 4293224473
Priority: Normal
File Size: 136 KB
Version: 1.0.0.0
File Version: 1.00
Product Version: A.12.00.16
Copyright: Copyright (C) Hewlett-Packard Co. 1995-2000
Company Name: Hewlett-Packard Co.
File Description: HP OfficeJet Status
Internal Name: HPOSTS07
Original Filename: HPOCPY07.EXE
Product Name: hp psc 700 series
Created on: 7/22/2004 9:44:53 PM
Last accessed: 8/8/2004
Last modified: 1/24/2001 5:08:42 PM

#19: [DDHELP.EXE]
File Path: C:\WINDOWS\SYSTEM\DDHELP.EXE
ProcessID: 4293150565
Priority: Real Time
File Size: 31 KB
Version: 4.8.1.881
File Version: 4.08.01.0881
Product Version: 4.08.01.0881
Copyright: Copyright © Microsoft Corp. 1994-2001
Company Name: Microsoft Corporation
File Description: Microsoft DirectX Helper
Internal Name: DDHelp.exe
Original Filename: DDHelp.exe
Product Name: Microsoft® DirectX for Windows® 95 and 98
Created on: 6/29/2004 8:00:55 PM
Last accessed: 8/8/2004
Last modified: 10/30/2001 8:10:00 AM

#20: [HIJACK.EXE]
File Path: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE
ProcessID: 4293273449
Priority: Normal
File Size: 392 KB
Version: 2.0.0.0
File Version: 2, 0, 0, 0
Product Version: 2, 0, 0, 0
Copyright: Copyright (C) 2003
Company Name: ,
File Description: HiJack MFC Application
Internal Name: System Hijack Scanner
Original Filename: HiJack.EXE
Product Name: System Hijack Scanner
Created on: 4/26/2004 8:34:14 PM
Last accessed: 8/8/2004
Last modified: 4/26/2004 8:34:14 PM

System Hijack Scanner Entries:
---------------

R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page=http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page=http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Local Page=http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main, Local Page=http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_page_url=http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_page_url=http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_search_url=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - ToolBar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O3 - ToolBar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe (file missing)
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s (file missing)
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup (file missing)
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe (file missing)
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Start Up: C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
O4 - Start Up: C:\WINDOWS\Start Menu\Programs\StartUp\HPAiODevice.lnk
O5 - control.ini [don't load]: snd.cpl=no
O5 - control.ini [don't load]: joystick.cpl=no
O5 - control.ini [don't load]: midimap.drv=no
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions Present
O9 - Extra Button: Related - (HKLM) - {c95fe080-8f5d-11d2-a20b-00aa003c157a}
O9 - Extra Tools Menu Item: Show &Related Links - (HKLM) - {c95fe080-8f5d-11d2-a20b-00aa003c157a}
O14 - iereset.inf: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"
O14 - iereset.inf: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38166.1857407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} ((no name)) - (no file)
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\SYSTEM\INETCOMM.DLL
O18 - Protocol: ndwiat - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SYSTEM\WIASCR.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX


----------



## Styxx (Sep 8, 2001)

Remove all the Spyware BPS finds. Run another HJT log ok?


----------



## medassist101 (Aug 6, 2004)

I ran the BPS and the only spyware it found this time was cookies...which you can expect from surfing...however, when I clicked on IE and dialed up tonight I let the site load this time and then clicked on the link in my Favorites to get to this site. Curious as to the name of that site I checked out my History. I found something out. The page has an .exe. This is the name of the name of it. (dont click here) http://213.159.117.150/iex/doit.cgi?s=1753350144&xdat=&url=http://213.159.117.150:80/dexUS10.exe
Another funny thing. I have two harddrives, C has 7 gig and D has 3. D doesnt show up in Windows, infact it doesn't show in Bios when it loads either. Well, I downloaded HiJackThis into D so I can't run it right now. I will soon. Please have a little patience.
I really appreciate the help your giving me.


----------



## medassist101 (Aug 6, 2004)

P.S I think I got the updated version of HiJackThis

Logfile of HijackThis v1.98.2
Scan saved at 1:49:18 AM, on 8/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O21 - SSODL: System - {15D1E879-9D47-472D-810C-09144F71DB01} - C:\WINDOWS\system32\system32.dll


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

*Close all applications and browser windows before you click "fix checked".*

Reboot and post another log.


----------



## medassist101 (Aug 6, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 5:20:52 PM, on 8/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O21 - SSODL: System - {15D1E879-9D47-472D-810C-09144F71DB01} - C:\WINDOWS\system32\system32.dll


----------



## medassist101 (Aug 6, 2004)

It just keeps comming back.
What now???


----------



## bandit429 (Feb 12, 2002)

Hi,,,I think I will get that link and remove it,,then tell ya how.. Please be patient as it could take a while.


----------



## bandit429 (Feb 12, 2002)

Go to add remove programs,,remove anything that says websearch or anything you do nt recognise that you installed then,,fix all these again,,,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

plus this one

O21 - SSODL: System - {15D1E879-9D47-472D-810C-09144F71DB01} - C:\WINDOWS\system32\system32.dll

Restart and post another one please....oh and be prepared to reset your homepage in internet options...I usually type google.com to get a page to come up.


----------



## medassist101 (Aug 6, 2004)

Here is what is in Add/Remove.
Adobe Reader 6.0.1
Ashes to ashes (this is a CD game)
AVG 6.0 Anti Virus Free Edition
Barbie(R) as Princess Bride (TM) (this is a cd game)
BPS Spyware-Adware remover 8.2.0.10
CyberScrub
Fax Talk Communicator 4.5 (utility that came with my modem)
Hot Shots Hippo Hop (this is a cd game)
hp psc 700 series (for HP printer)
ICQ Lite
Internet Explorer Q867801 
Irfan View (remove only) (my picture viewer)
Microsoft Data Access Components KB870669
Microsoft FrontPage 2000
Microsoft Image Composer 1.5
Microsoft Internet Explorer 6 SP1 and Internet tools
Microsoft Office 2000 Small Business
Microsoft Outlook Express 6
Microsoft web publishing wizard 1.6
NTI CD Maker 2000 Plus 
Outlook Express Q823353
PCI Audio Driver
Pokemon Play It! v2 (cd game)
SiS multimedia V1.08e
Tonka Search and Rescue (cd game)
Webshots Desktop
Windows Mellennium Edition Q823559
WinZip
WinZip self extractor

Nothing unusual to me but I dont know.

And guess what?
Your not gonna like this. Here is my HJT log.
P.S. I did what you said to do. Except the Add Remove.
Logfile of HijackThis v1.98.2
Scan saved at 7:37:13 PM, on 8/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## cybertech (Apr 16, 2002)

bandit429, CWshredder? Even though it's not on the CWS list??


----------



## cybertech (Apr 16, 2002)

I would like to have heard from Bandit but running shredder isn't going to hurt anything so...

Click on the link below to download CWshredder.
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Run the program and let it do it's thing. Make sure to click on *"Fix"* and not scan only.

Reboot and let us hear back from you.

Oh and BTW I'll close your new thread. If you feel ignored just reply to this one and state *bump*


----------



## bandit429 (Feb 12, 2002)

Yeah I agree,,,I tried to go and get it and could nt...Im baffled. Im sorry I did not get the notification til after you posted Cybertech,,,I dont have many to keep up with..I just did nt get it in my user panel or through msn.


----------



## cybertech (Apr 16, 2002)

Thanks bandit I know we all get busy and I appreciate your input!


----------



## KHolloman (Jul 22, 2004)

Remove the following and then clean out cookies and temp files and reboot. Check in program files and windows and look for any suspicious files or folders.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)


----------



## medassist101 (Aug 6, 2004)

Bandit, Cybertech, thank you.
But last night after I did what you said I went to the IE properties and changed the homepage to Google one last time and shutdown.
This morning and since the IE will load as Google.
No more does the http://213.159.117.134/index.php come up. 
I hope it never comes back, but if it ever does I'll know where to come.
I hope I didn't create to much head scratching!!!
I think what finally did it was clicking this "HiJackThis" box:

O21 - SSODL: System - {15D1E879-9D47-472D-810C-09144F71DB01} - C:\WINDOWS\system32\system32.dll

I will however download the CWshredder. What could it hurt?
Anyway here is my HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 9:08:09 PM, on 8/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PSC 700 SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## bandit429 (Feb 12, 2002)

Woooooooooooohoooooooooooooooooooooooooo


----------

