IE homepage hijacked

[m1nty]

Hey,

My internet explorer homepage seems to be hijack. I can't change it no matter what I do...I tried using malwarebytes, but it's not helping. Here's my Hijackthis log. Please help! Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:14:59 AM, on 12/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Airlink101\AWLL5025\WLService.exe

C:\Program Files\Airlink101\AWLL5025\AWLL5025.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\conime.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE

C:\PPSmtGrd\ppsmtgrd.exe

C:\Program Files\Software\mactool.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Software\Nlce.nls

C:\Program Files\Microsoft Office\Office\1028\OLFSNT40.EXE

C:\WINDOWS\system32\63r8.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe ,C:\WINDOWS\system32\PnkB.exe,

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Invoke Class - {218D774A-4ABE-4052-852D-AEF963A2C0CF} - C:\WINDOWS\system32\46l8.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [PPSmartGuard] c:\PPSmtGrd\ppsmtgrd.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [袤醱藝趙凅] C:\Program Files\Software\mactool.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE"

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187812250281

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: WIKI.DLL

O23 - Service: Airlink101 USB XR Adapter WLService - Unknown owner - C:\Program Files\Airlink101\AWLL5025\WLService.exe

O23 - Service: Error COM+ Service - Unknown owner - C:\WINDOWS\system32\evedeaza.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--

End of file - 4312 bytes

[Maurice Naggar]

Hello m1nty,

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not m1nty and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

DON't go sufing on the net, nor do any searches, and certainly do not do any online transactions.

Stick to this forum and the websites I guide you to.

Step 1

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O2 - BHO: Invoke Class - {218D774A-4ABE-4052-852D-AEF963A2C0CF} - C:\WINDOWS\system32\46l8.dll

O4 - HKLM\..\Run: [?????] C:\Program Files\Software\mactool.exe

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Step 3

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 4

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".
  

Step 5

Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  C:\WINDOWS\system32\46l8.dll
  C:\Program Files\Software\mactool.exe
  
  Folders to delete:
  C:\Program Files\advstrs
  C:\Program Files\Software\advstrs
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  Registry keys to delete:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{218D774A-4ABE-4052-852D-AEF963A2C0CF}

  
  

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt) when I ask for it later.
  

Step 6

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.
  

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.
  

Step 7

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to C:\WINDOWS\system32\63r8.exe, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==

Use your browser to go here at VirSCAN.org website

Click the Browse button and then navigate to C:\WINDOWS\system32\63r8.exe, then click the Submit button.

Save the results, and post back here in a reply.

=

Use your browser to go Threatexpert

http://www.threatexpert.com/filescan.aspx

Click the Browse button and then navigate to C:\WINDOWS\system32\63r8.exe,

click the checkbox to checkmark "I agree to be bound by the Terms and Conditions"

then click the Submit button.

Save the results, and post back here in a reply.

Step 8

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
• Enable (check) the Remove found threats option, and run the scan.
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
    

  Look at contents of this file using Notepad or Wordpad.

  The Frequently Asked Questions for ESET Online Scanner can be viewed here

  http://www.eset.com/onlinescan/cac4.php?page=faq

  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    

  Step 9

  Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
    
  • Follow the onscreen instructions inside of the command window.
    
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
    

  If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

  Step 10

  Reply with copy of C:\Avenger.txt

  the Gmer log

  the report logs from Virustotal

  VirSCAN report

  and Threatexpert report

  the ESET online scan log

  Checkup.txt

  and tell me, How is your system now?

  There will be more to do later.

[Maurice Naggar]

This is closed due to lack of response.

For all others, and for casual viewers, do NOT use the procedures outline here, lest you cause harm to your system.

The methods outlined here are only for this system and NO Other.