Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default "heretofind" hijacker

    Guru(s),

    Is there anything I can do here; I was hit yesterday by the "heretofind" startup page hijacker. Following Steamwiz's advice on another thread, I was able to go into SafeMode and utilize HijackThis with apparent success at first, but the problem returned again today. I removed it a 2nd time, ran Lspfix (results?) and am essentially waiting for it's return.

    Is there a proactive step, or must I react only when "heretofind" returns?

    THX, -JR

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Lspfix only comes into play if you loose your internet connection after you remove some programs.

    Suggest that you follow all these:


    Run all the programsHERE<<<<click here

    After you have done all the above, post another HJT Log, to THIS PAGE by using the post Post Reply Button at the bottom of this page.
    PLEASE DO NOT start a new topic.

    If you have already run these programs then please post back and let us know.

    Also please bear in mind that your log may only be answerd between 20.00 GMT and 00.00 GMT ... This is when I am on-line in the UK

    Cheers

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Thanks for starting your own thread ...as i said, the Lspfix post was not meant for you (but it wont do any harm that you ran it.)

    There's more than one way to fix most problems, by doing what you did in safemode, it may never return, but you still have certain files on your computer (even though they are benign)

    If you want to remove the rest of it and be sure it has all gone please do this :-

    Download the pv.zip file from here :-

    http://forums.techguy.org/attachment...chmentid=38066

    unzip it to the desktop.

    Be sure to have at least 1 internet explorer window open.

    Double click on the runme.bat

    This will open a command window. In the command window enter the digit 2 by hitting the 2 key on your keyboard and then hit the Enter key.

    Notepad will open with a log in it. Please copy and paste the log into this thread.


    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default

    Basementgeek,

    It's quite late for me now, but if the HJT log tells you anything,
    Here it is:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:58:58 PM, on 8/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Downloads\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O9 - Extra button: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file) (HKCU)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    For the time being, the hijacker is gone; although it has come back after running HJT once before. I also ran PandaScan, and the others you recommended. Ad-Aware returned no persistent issues when it was run following HJT. That was not the case when I first ran it prior to running HJT. I'll post again if things deteriorate.

    P.S. Steamwiz: Tomorrow, I'll check out your latest...for now, I've got to call it a day.

    I do appreciate the help! -JR

  5. #5
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default

    One more thing: you probably have already realized, I inadvertently ran the HJT log AFTER deleting troublesome lines...'hope I got them all!

    Ciao, JR

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Fix these entries with hijackthis :-

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O9 - Extra button: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file)

    O9 - Extra button: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {40228CFD-3FEE-4FB6-BFD2-2DF6B8C79681} - (no file) (HKCU)


    Reboot

    Seeing these entries "O9 - Extra button: Corel Network monitor worker" leads me to believe you could have another .exe file in your system32 folder ... if you post that pv log file, we should be able to get it's name.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default missed .exe files

    Steam,

    Thanks, I'll delete the aforementioned lines. I'm not at the affected computer now, but I will be in a bit, and will post results afterward.

    -JungleRudy

  8. #8
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default pv log won't display

    Steam,

    Per your instructions in Post #3:

    The log notepad pops up blank and when I select the pv log, all information disappears before I can even read any of it.
    (This bugger is really sinister! :twisted: )

    Is there a way around this?

    Regards, JungleRudy

  9. #9
    Member
    Join Date
    Aug 2004
    Location
    Austin, Texas
    Posts
    9
    Points
    0

    Default partial pv log

    Steam, et al,

    This is all the pv log I could read before it clears out.

    'pv.exe' is not recognized as an internal or external command,
    operable program or batch file.
    Starting an Internet Explorer.


    {At this point, more text appears on the log, but it's way too quick and it clears out}.

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Don't double click the pv.exe ... you should be double clicking the runme.bat file ... this is what you need to do :-

    1. download zip file
    2. open zip (gives you a pv folder)
    3. open folder (you should have 8 assorted files)
    4. Double click on the runme.bat
    5. an ms-dos page will open ... giving options 1 - 7 and E (exit)
    6. press 2 on your keyboard, followed by enter...sit back and wait (this may take a couple of minutes to scan your computer and compile the log.txt file.
    7. a log.txt file will pop up in notepad
    8. copy and paste the log here

    follow these instructions exactly and you should get something like this.....

    This is my pv log :-


    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    MYDOCS.DLL 7b0c0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3110.0 My Documents Folder UI
    SHD401LC.DLL 3280000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4914.1400 Shell Doc Object and Control Library - IE 4.01 compat
    PLUGIN.OCX 39d0000 98304 C:\WINDOWS\SYSTEM\PLUGIN.OCX 6.00.2800.1106 ActiveX Plugin OCX
    WINMM.DLL bfe10000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.03.1998 System APIs for Multimedia
    MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 6.00.2800.1106 Microsoft (R) HTML Editing Component
    IMGUTIL.DLL 70510000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 6.00.2800.1106 IE plugin image decoder support DLL
    JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.8513 Microsoft (r) JScript
    IMM32.DLL bfe40000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.10.1998 Win32 IMM32 core component
    MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    MSHTML.DLL 70c50000 2805760 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2800.1106 Microsoft (R) HTML Viewer
    SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
    RNR20.DLL 7a570000 57344 C:\WINDOWS\SYSTEM\RNR20.DLL 4.10.1998 Windows Socket2 NameSpace DLL
    RASAPI32.DLL 7f8d0000 196608 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.1998 Dial-Up Networking Dynamic Linked Library
    SECUR32.DLL 7f8c0000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.1998 Microsoft Win32 Security Services
    MSVCRT20.DLL 7fc60000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
    SVRAPI.DLL 7f990000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
    MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
    MSPWL32.DLL 7fb80000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
    TAPI32.DLL 7f9a0000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.1998 Microsoft® Windows(TM) Telephony API Client DLL
    MPR.DLL 7fc20000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
    RPA.DLL 2d30000 262144 C:\WINDOWS\SYSTEM\RPA.DLL v3.0 (build 162.0) Remote Passphrase Authentication (Virtual Key) v3.0
    WINSPOOL.DRV 7fe70000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.10.1998 Win32 WINSPOOL core component
    COMDLG32.DLL 7fe40000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3110.2 Common Dialogs DLL
    RPAWINET.DLL 11500000 102400 C:\WINDOWS\SYSTEM\RPAWINET.DLL v3.0 (build 162.0) Remote-Passphrase Authentication v3.0
    MSAFD.DLL 7c110000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
    WSOCK32.DLL 78810000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
    MSWSOCK.DLL 7b120000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.1998 Microsoft WinSock Extension APIs
    WS2_32.DLL 78860000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.1998 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 78850000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
    MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2800.1106 Multi Language Support DLL
    SHDOCLC.DLL 71840000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2800.1106 Shell Doc Object and Control Library
    URLMON.DLL 702b0000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2800.1106 OLE32 Extensions for Win32
    ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 6.00.2800.1106 ActiveX Interface Marshaling Library
    NETAPI32.DLL 7f9d0000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
    NETBIOS.DLL 7f890000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
    MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
    SDHELPER.DLL 15d0000 765952 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL 1, 3, 0, 12 Bad download blocker
    OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4518
    VERSION.DLL bfe90000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
    JCCATCH.DLL 13b0000 65536 C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL 1, 1, 3, 0 jccatch Module
    SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 6.00.2800.1106 Shell Folder Service
    WININET.DLL 70200000 610304 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2800.1106 Internet Extensions for Win32
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.1878.12 Crypto API32
    RPCRT4.DLL 7fbd0000 323584 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.1718 Remote Procedure Call DLL
    MSOSS.DLL 5e380000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL 5.131.1877.3 Microsoft Trust ASN APIs
    BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2800.1106 Shell Browser UI Library
    BROWSEUI.DLL 71160000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2800.1106 Shell Browser UI Library
    HOOKDLL.DLL 10000000 73728 C:\WINDOWS\SYSTEM\HOOKDLL.DLL
    OLE32.DLL 7ff30000 786432 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.1719 Microsoft OLE for Windows and Windows NT
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
    IEXPLORE.EXE 400000 102400 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
    SHDOCVW.DLL 71000000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2800.1106 Shell Doc Object and Control Library
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 70bd0000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2800.1106 Shell Light-weight Utility Library
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.1998 Win32 USER32 core component
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
    ADVAPI32.DLL bfea0000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
    MSVCRT.DLL 78000000 262144 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.00.8397.0 Microsoft (R) C Runtime Library
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.1998 Win32 Kernel core component

    Press E and the program will exit

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast