Questions

internet browser been hijack ><" , guidance to evaluate the log file?

+
0 Votes
Locked

internet browser been hijack ><" , guidance to evaluate the log file?

JLee10
my internet explorer had been hijacked after install some software from china website~~(http://192.168.123.254/block.htm - but i block it in my router)

I used hijackthis to come out with the log file, but i have no idea what is the log all about @_@

may i know which one need to be fix?
.........................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:20 AM, on 11/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENMY/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENMY/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENMY/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - (no file)
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://vs.comm.soft.iwate-pu.ac.jp/kxhcm10.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-my/wlscctrl2.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://supportapj.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14879 bytes


.........................................
*in the mean time, can anyone teach me some basic on how to evaluate the log file?if this happen again, i can fix it myself?

thanks a lot T_T
  • +
    0 Votes
    oldbaritone

    I see you have AVG security toolbar. Is AVG still installed?

    Suggestion 1 - Have you updated AVG and run a full scan lately? That would be a good place to start.

    There are several viruses (like rootkits) that can be very pervasive. It takes a lot to get rid of them, and if you're a novice it will be very difficult.

    Suggestion 2 - try repairing Windows from the original CD.

    Suggestion 3 - back up all of your personal data, then wipe and reinstall Windows.

    Suggestion 4 - if the virus still comes back (some rootkits install into BIOS) take the system in for professional help.

    +
    0 Votes
    JLee10

    actually it only hijack my IE,

    maybe it does smth at the back, but i didn't notice any thing else other than direct me to other homepage~~

    i had done a full scan with AVG,Ad-aware,Spybot-search&destroy~~remove all threat it appear~~

    but i still cant get back my homepage =="

    +
    0 Votes
    seanferd

    The settings are right in the Internet Explorer → Tools. (Same as the Internet control panel icon, or right-clicking the big blue e and selecting Properties.)

    Or are you saying that you cannot set this? Or do you mean that you cannot get to the website you normally have set as your home page by any means?

    I don't see any bad BHOs, although the McAffee one is broken - was it uninstalled?

    Otherwise, manually check the HOSTS file in your equivalent directory to
    C:\WINNT\system32\drivers\etc
    and see if anything you don't already know about is pointing anywhere but nirvana (127.0.0.1). remove the entry or point it to nirvana.

    +
    0 Votes
    lzhengtzer87

    the homepage is correctly set to google.

    just when open IE, it direct me to "http://www.83027.com/"

    ""
    Otherwise, manually check the HOSTS file in your equivalent directory to
    C:\WINNT\system32\drivers\etc
    and see if anything you don't already know about is pointing anywhere but nirvana (127.0.0.1). remove the entry or point it to nirvana. ""

    what is this?LOL, sorry, can give me some basic guidance?

    +
    0 Votes
    seanferd

    You need to open your HOSTS file in a text editor, and see what is inside it.

    It is located in a directory
    \system32\drivers\etc
    in your Windows directory.

    The standard HOSTS file looks like this:
    ____________________________________
    # Copyright (c) 1993-1999 Microsoft Corp.
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
    _______________________________________

    If there are any further entries in this file, and they don't have 127.0.0.1 as the IP address in the entry, delete them.

    edit:
    Have you run any malware tools at all? Hijack This is great, but it just generates a log.
    Try http://malwarebytes.org , download the free version and install it. Update it if it does not do so automatically. Turn off System Restore. Boot in to Safe Mode. Run the MBAM application and let it clean up anything. Run it again until nothing is found.

    -- Reviewing previous posts, I see you have run some tools, but do try this one. I'm betting that the problem is in the HOSTS file, though, mapping Google to the IP address for 83027.com.

    edit 2:
    These may or may not be a problem:
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    That is a generic Windows process which usually does not run all the time. Since I cannot see which DLL files are being run, I can't saty one way or the other, but I would check them.

    +
    0 Votes
    lzhengtzer87

    I had run the malwarebytes, clean 15 thread, but my IE still appear as other website.

    this is how it looks like when i open the HOSTS file :

    ----------------------------

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    ::1 localhost
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 www.007guard.com
    ...

    --------------------------------------

    so i need to delete this?
    "::1 localhost"

    thanks

    +
    0 Votes
    CG IT

    actually you should turn off Netbios over TCP/IP and by extension, the hosts file. Netbios over TCP/IP is for older operating systems like Windows 9X. If your not running Windows 9X, but W2K and later, you can turn off NetBios over TCP/IP.

    but usually after running hyjackthis, you submit your log file to spyware warrior [hijackthis recommendation]. They in turn will tell you what the problem is and what to do about it.

    +
    0 Votes

    No.

    seanferd

    CG IT's good advice aside, the ::1 entry is just an IPv6 version of localhost. If you don't see anything (Google.com in particular)pointing to an external IP, the problem isn't in HOSTS.

    You may just want to open the registry editor
    (type regedit in the Run box)
    and search the full registry for
    www.83027.com
    and also search for
    211.152.51.197
    You will want to delete just these data from the registry keys' values.

    +
    0 Votes
    lzhengtzer87

    i had delete

    1.) www.83027.com
    2.) 192.168.123.254

    found nothing on 211.152.51.197

    the problem still here T_T

    how?help ><"

    +
    0 Votes
    CG IT

    running hyjackthis, you submit your log file to spyware warrior [hijackthis recommendation]. They in turn will tell you what the problem is and what to do about it.

    +
    1 Votes
    seanferd

    That is probably your router's address. It is only in the private address range (not for internet). See RFC 1918 for reference.

    Did you find every occurrence of www.83027.com, or did you stop after you found the first instance? In the keys where you found this, did you find any other such addresses?

    After you deleted these, did you reboot the computer and empty the browser cache?

    If you run the search again, has the address shown up again where you had deleted it? If so, something is still reinfecting the system.

  • +
    0 Votes
    oldbaritone

    I see you have AVG security toolbar. Is AVG still installed?

    Suggestion 1 - Have you updated AVG and run a full scan lately? That would be a good place to start.

    There are several viruses (like rootkits) that can be very pervasive. It takes a lot to get rid of them, and if you're a novice it will be very difficult.

    Suggestion 2 - try repairing Windows from the original CD.

    Suggestion 3 - back up all of your personal data, then wipe and reinstall Windows.

    Suggestion 4 - if the virus still comes back (some rootkits install into BIOS) take the system in for professional help.

    +
    0 Votes
    JLee10

    actually it only hijack my IE,

    maybe it does smth at the back, but i didn't notice any thing else other than direct me to other homepage~~

    i had done a full scan with AVG,Ad-aware,Spybot-search&destroy~~remove all threat it appear~~

    but i still cant get back my homepage =="

    +
    0 Votes
    seanferd

    The settings are right in the Internet Explorer → Tools. (Same as the Internet control panel icon, or right-clicking the big blue e and selecting Properties.)

    Or are you saying that you cannot set this? Or do you mean that you cannot get to the website you normally have set as your home page by any means?

    I don't see any bad BHOs, although the McAffee one is broken - was it uninstalled?

    Otherwise, manually check the HOSTS file in your equivalent directory to
    C:\WINNT\system32\drivers\etc
    and see if anything you don't already know about is pointing anywhere but nirvana (127.0.0.1). remove the entry or point it to nirvana.

    +
    0 Votes
    lzhengtzer87

    the homepage is correctly set to google.

    just when open IE, it direct me to "http://www.83027.com/"

    ""
    Otherwise, manually check the HOSTS file in your equivalent directory to
    C:\WINNT\system32\drivers\etc
    and see if anything you don't already know about is pointing anywhere but nirvana (127.0.0.1). remove the entry or point it to nirvana. ""

    what is this?LOL, sorry, can give me some basic guidance?

    +
    0 Votes
    seanferd

    You need to open your HOSTS file in a text editor, and see what is inside it.

    It is located in a directory
    \system32\drivers\etc
    in your Windows directory.

    The standard HOSTS file looks like this:
    ____________________________________
    # Copyright (c) 1993-1999 Microsoft Corp.
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
    _______________________________________

    If there are any further entries in this file, and they don't have 127.0.0.1 as the IP address in the entry, delete them.

    edit:
    Have you run any malware tools at all? Hijack This is great, but it just generates a log.
    Try http://malwarebytes.org , download the free version and install it. Update it if it does not do so automatically. Turn off System Restore. Boot in to Safe Mode. Run the MBAM application and let it clean up anything. Run it again until nothing is found.

    -- Reviewing previous posts, I see you have run some tools, but do try this one. I'm betting that the problem is in the HOSTS file, though, mapping Google to the IP address for 83027.com.

    edit 2:
    These may or may not be a problem:
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    That is a generic Windows process which usually does not run all the time. Since I cannot see which DLL files are being run, I can't saty one way or the other, but I would check them.

    +
    0 Votes
    lzhengtzer87

    I had run the malwarebytes, clean 15 thread, but my IE still appear as other website.

    this is how it looks like when i open the HOSTS file :

    ----------------------------

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    ::1 localhost
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 www.007guard.com
    ...

    --------------------------------------

    so i need to delete this?
    "::1 localhost"

    thanks

    +
    0 Votes
    CG IT

    actually you should turn off Netbios over TCP/IP and by extension, the hosts file. Netbios over TCP/IP is for older operating systems like Windows 9X. If your not running Windows 9X, but W2K and later, you can turn off NetBios over TCP/IP.

    but usually after running hyjackthis, you submit your log file to spyware warrior [hijackthis recommendation]. They in turn will tell you what the problem is and what to do about it.

    +
    0 Votes

    No.

    seanferd

    CG IT's good advice aside, the ::1 entry is just an IPv6 version of localhost. If you don't see anything (Google.com in particular)pointing to an external IP, the problem isn't in HOSTS.

    You may just want to open the registry editor
    (type regedit in the Run box)
    and search the full registry for
    www.83027.com
    and also search for
    211.152.51.197
    You will want to delete just these data from the registry keys' values.

    +
    0 Votes
    lzhengtzer87

    i had delete

    1.) www.83027.com
    2.) 192.168.123.254

    found nothing on 211.152.51.197

    the problem still here T_T

    how?help ><"

    +
    0 Votes
    CG IT

    running hyjackthis, you submit your log file to spyware warrior [hijackthis recommendation]. They in turn will tell you what the problem is and what to do about it.

    +
    1 Votes
    seanferd

    That is probably your router's address. It is only in the private address range (not for internet). See RFC 1918 for reference.

    Did you find every occurrence of www.83027.com, or did you stop after you found the first instance? In the keys where you found this, did you find any other such addresses?

    After you deleted these, did you reboot the computer and empty the browser cache?

    If you run the search again, has the address shown up again where you had deleted it? If so, something is still reinfecting the system.