Hi there,
Opened an email with a codec to view a video and have been infected by a virus.
When I start IE the home page is directed to iehomepages.com and warnings appear concerning virus and hijackers.
Also has loaded a toolbar under my google.
Need help
below is my hijackthis log.
Thanks,
Milmosmic
Logfile of HijackThis v1.99.1
Scan saved at 18:56:37, on 19/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Inner Range\InsightDemo\IRPnlServerDemo.exe
C:\Program Files\PowerCodec\isamonitor.exe
C:\Program Files\PowerCodec\pmsngr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerCodec\pmmon.exe
C:\Program Files\PowerCodec\isamini.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Paradox Security Systems\NEware DEMO\DBServer\NxServer.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\Q3IZ6XA3\hijackthis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Overture - Search Performance
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Overture - Search Performance
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Program Files\PowerCodec\isaddon.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Program Files\PowerCodec\iesplugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm428YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q305&bd=presar io&pf=laptop
O16 - DPF: ServerPushBox - http://219.84.24.109/servp14.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/bar...webinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} (WebDvr3 Class) - http://125.7.210.132/WebDvr3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {F92211F4-3913-4DC2-A275-756374D848B0} (ERViewerOCX Control) - http://208.50.31.213/MP4DVR.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IRDBDemo - Inner Range Pty Ltd - C:\Program Files\Inner Range\InsightDemo\IRDBServerDemo.exe
O23 - Service: IRPnlServerDemo - Inner Range Pty Ltd - C:\Program Files\Inner Range\InsightDemo\IRPnlServerDemo.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NEware Database Server (16900) (NEwareDBServer_16900) - Unknown owner - C:\Program Files\Paradox Security Systems\NEware DEMO\DBServer\NxServer.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
EDIT: This isn't Milmosmic, it's my Dad on his computer.
 |
 |
 |
 |
|
|||||||
| Anti-Virus - iehomepages hijack virus posted in the Security & Safety forums; Hi there, Opened an email with a codec to view a video and have been infected by a virus. When I start IE the home page is directed to iehomepages.com ... |
|
10-19-2006
|
#1 |
|
Bronze Member
 Join Date: Aug 2006
Posts: 31
|
iehomepages hijack virus
Last edited by Milmosmic; 10-19-2006 at 10:16 AM. |
|
|
| Advertisement - Register to Remove | |
|
|
10-19-2006
|
#2 |
|
Elite Member
 Join Date: May 2006
Location: New Brunswick,Canada
Posts: 625
|
hey milmosmic,
could you also post a avgas log from the prework and also post another hijackthis log after you have scanned with avgas and the security team will take a look at them shortly edit:sorry forgot to mention that you can find a link to the prework in my signature thanks genie3251 Last edited by genie3251; 10-19-2006 at 10:58 AM. |
|
|
|
|
10-19-2006
|
#3 |
|
Bronze Member
Join Date: Aug 2006
Posts: 31
|
iehomepage problem
Hi Genie3521,
Thanks for the reply. Scanned as requested AVG found 2 hits which PCILLIN missed. below is a copy of the log file. Thanks again history> <!-- 01c6f3c2296e3050 --> <rec time="2006/10/19 20:06:37" user="SYSTEM" source="Update"> <value>@HL_UpdateOK</value> <attr name="version">avi:820-818;iavi:495-488;</attr> </rec> <rec time="2006/10/19 20:07:16" user="Christopher" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_02</attr> </rec> <rec time="2006/10/19 20:49:48" user="Christopher" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\Program Files\PowerCodec\isamonitor.exe</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Puper.DI</attr> </rec> <rec time="2006/10/19 20:49:49" user="Christopher" source="Virus"> <value>@HL_ReportFind</value> <attr name="where">C:\Program Files\PowerCodec\pmmon.exe</attr> <attr name="type">@EID_Id_trj</attr> <attr name="what">Generic2.EWS</attr> </rec> <rec time="2006/10/19 21:04:27" user="Christopher" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_02</attr> <attr name="infectedfiles">2</attr> </rec> <rec time="2006/10/19 21:04:28" user="Christopher" source="Virus"> <value>@HL_ActionTakenRestartRequired</value> <attr name="filename">C:\Program Files\PowerCodec\isamonitor.exe</attr> <attr name="action">@HL_ActCleaned</attr> </rec> <rec time="2006/10/19 21:04:28" user="Christopher" source="Virus"> <value>@HL_ActionTakenRestartRequired</value> <attr name="filename">C:\Program Files\PowerCodec\pmmon.exe</attr> <attr name="action">@HL_ActCleaned</attr> </rec> <rec time="2006/10/19 21:14:54" user="Christopher" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\Program Files\PowerCodec\isamonitor.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Puper.DI</attr> </rec> <rec time="2006/10/19 21:17:18" user="Christopher" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\Program Files\PowerCodec\pmmon.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic2.EWS</attr> </rec> <rec time="2006/10/19 21:25:55" user="SYSTEM" source="Update"> <value>@HL_UpdateOK</value> <attr name="version">avi:821-820;iavi:496-495;</attr> </rec> </history> |
|
|
|
|
10-19-2006
|
#4 |
|
Elite Member
Join Date: Jun 2005
Location: Netherlands
Posts: 9,025
|
Hya "dad of Milmosmic", welcome to PCHF aswell.
 Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode. (hit f8 before Windows loads when booting up) Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt
__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! -  - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - |
|
|
|
|
10-21-2006
|
#5 |
|
Elite Member
Join Date: Jun 2005
Location: Netherlands
Posts: 9,025
|
__________________
- PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - |
|
|
|
|
| Bookmarks |
| Tags |
| hijack, iehomepages, virus |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
