Links on Pages don't work after home page hi-jacking 2

[wwwwill]

Hello,

I recently got a popup from some website that "checked my computers security." It opened my CD-drive and hi-jacked my home page. I don't remember the name of the site... something like "sspy" or "pcspy". Anyway, now it seems that links on web pages don't work all the time. The address bar of IE works - I can go to websites -- but I can't seem to do a google search and links don't seem to work like they used to when I get to the target page. Any ideas?

Thanks,

r

 

[carrr]

Download Hijack This! from this link, scan your pc, and post your log back here in its entirety:

http://mjc1.com/mirror/hjt/

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[wwwwill]

It appears that Google won't work... I type in a search and hit enter or Go and nothing happens. Also tried hotbot -- the search didn't work either. I wonder if some setting got changed. Other than that it works fine, urls in the address bar take me to wherever. I did uninstall google's toolbar, that wouldn't work. I plan on reinstalling it tonight. What sort of things would you expect to find if it is a malware problem?
Gracias...
Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 10:15:34 PM, on 2/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Juno6\zCast.exe
C:\Program Files\Juno6\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download\unzipper\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.juno.com/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://my.juno.com/s/sp?r=al&cf=sp&...0&D=0&I=6.2B4JU&L=g#6&M=961484400000&N=PL&O=A

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{112B511F-1223-4060-97FF-551CF123221C}: Domain = LARSUM
O17 - HKLM\System\CCS\Services\Tcpip\..\{112B511F-1223-4060-97FF-551CF123221C}: NameServer = 168.192.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA480A49-6967-451E-8EE2-6492DD5E584B}: NameServer = 64.136.20.121 64.136.20.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{112B511F-1223-4060-97FF-551CF123221C}: Domain = LARSUM
O17 - HKLM\System\CS1\Services\Tcpip\..\{112B511F-1223-4060-97FF-551CF123221C}: NameServer = 168.192.0.1

 

[vop]

Sounds like your hosts file has been hijacked.

If you 'ping'

http://www.google.com

do you get 216.239.41.104 (or similar) or do you get 127.0.0.1 (AKA loopback = self contained internal circular path).

If you get the latter, edit your hosts file by searching for each search engine entry such as 'google'. Either disable (comment out) or remove the line item(s) in question.

There are tools such as SpyBot Immunize that allow 'Lock Hosts file read-only as protection against hijackers'.

 

[pechenegs]

delete these two

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

I'm not sure about this one , did a google and returned nothing, do you know what it is?

O4 - HKLM\..\Run: [IgfxTray]C:\WINDOWS\System32\igfxtray.exe

wait and see what others can see in your hijack this log

pech

 

[carrr]

igfxtray.exe allows for control panel access via a SysTray icon. It's legit.
I see little in this log other than two "empty" BHO entries.
I'd have a look at the HOSTS file, though it should be showing here.


"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[wwwwill]

How do I view the "HOSTS file" ?

 

[pechenegs]

C:\windows/system32/drivers/etc

 

[carrr]

Start > Find > Files or Folders > hosts

You want the one with no file extension. Open it with wordpad or notepad. If there are entries in it for sites you're having problems with, remove them. If you need more help, post the contents of the file back here and someone will advise.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[wwwwill]

I found nothing that looked suspicious in the HOSTS file. There was: localhost 123.0.0.1

and that was all. I do appreciate you help, carr, pechengs and vops... excellent. I'll reinstall google tool bar and see how it goes.

peace,

r (

http://wwwwill)

 

[vop]

Do you run SpyBot and/or Adaware to help neutralize spyware and other malware? This would help ensure that you have your basics covered.

 

[pechenegs]

Also download spywareguard and spywareblaster to prevent reinfection. Maybe change that hosts entry to 127.0.0.1

http://www.majorgeeks.com/downloads31.html

pech

 

[wwwwill]

Yes, I use spybot and am going to install Adaware also. I'll check out the other progs ya'll recommend. Have a great weekend and thanks again.

peace,

r