IE snail

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Toke, Jun 3, 2005.

  1. Toke

    Toke MajorGeek

    Hi .. have been right through the stickies and now here 6 hours later, had/have an IE Hijacker which looks like this ?????? in my homepage when hijacked. It did appear every hour or so after I changed page back to default http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome.

    As i said after exhaustive scanning from progs in sticky and others I have my IE is still going at a snails pace .. MSN Home page takes 1 minute 19 seconds to load and I cannot get many URL pages such as dell.co.uk. It is not ALL url's but as always its the ones thats needed at the given moment. I have loaded and used TCPOptimizer with no result. I forgot to mention that the scanning operations did find minor trojans that have been succesfully removed. And according to the last 4 virus scans I have done I am 100% clean, so what can it be ?? do I need to re-install IE and MSN.. or really freak and do a clean install.

    Ps.. each night at turn off I ALWAYS run spybot/Xoft/iclean.

    ABIT KV8 mobo
    AMD64 3200
    512 DDR 400
    2X120 Raid + 1 200 Eide
    XP Pro (and all the other stuff that makes it whirl)

    Avast AV
    Sygate FW
    M$ Antispyware
    TrojanHunter
    Spybot
    Browser Hijacker
    Xoftspyremoval... installed,these are in addition to the sticky DL'ed progs
     
    Toke, Jun 3, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jun 3, 2005
    #2
  3. Toke

    Toke MajorGeek

    Hi Chaslang ... thanx for reply was just about to do a format , since running all stickies yesterday I have not seen the ?????? hijacker although something is still seriously affecting Explorer. Plz find HJT atachment read out .. :)
     

    Attached Files:

    • HJT.txt
      File size:
      7.5 KB
      Views:
      3
    Toke, Jun 4, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not install HijackThis properly. You are running it directly from the ZIP file which is what we specifically request you not do. Use WinRar to extract the hijackthis.exe file into the folder I requested. If you run it the way you are right now, you will not get any backups.

    First I have a couple questions.
    1) Why would you be running both Diskeeper and O&O Deefrag?

    2) Is the following something you installed and use (like a tracks eraser):
    O4 - HKCU\..\Run: [Eraser] "D:\eraser.exe"

    Okay now to the rest of cleanup. Some (or many) of the items listed below may or may not exist. Check anyway, they quite often do occur with this type of infection so we need to check.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
    Search Maid
    Security IGuard
    Virtual Maid

    Now exit Add/Remove Programs.

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\WINDOWS\system32\intmon.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Microsoft AntiSpyware helper - {F1FA27B0-0B1B-41D4-A6FC-95B449B8236C} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1FA27B0-0B1B-41D4-A6FC-95B449B8236C} - (no file) (HKCU)
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1865.exe




    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\WINDOWS\System32\intmon.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\WINDOWS\system32\hp9980.tmp
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\Program Files\Search Maid<--- the whole folder
    C:\Program Files\Security IGuard<--- the whole folder
    C:\Program Files\Virtual Maid<--- the whole folder
    C:\Windows\System32\Log Files <--- the whole folder


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and continue with the below.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

    Now please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now post a new HJT log. And tell me how things are working.
     
    chaslang, Jun 4, 2005
    #4
  5. Toke

    Toke MajorGeek

    Hi chaslang, first apologies for misinterpreting your guide, slight confusion on instalation/extraction but have now rectified that. Diskeeper is on continually in screensaver and i use 0+0 every 5/6 months to clean up what DSKP has missed. Followed all instructions to a T and on reaching proccess manager non of the list you gave me is in the PM list itself, nearest of the references is a C:\Program files\messenger\msmsgs.exe which is not a win32 of course. Consequently when i use the 'Back' button there is not a 'scan' one available which I assume is that no kill has taken place. I did this process from start to finish several times to make absolutely sure. So where does that leave us now ??? and I do appreciate your time on this :)
     
    Toke, Jun 5, 2005
    #5
  6. Toke

    Toke MajorGeek

    Jeez partner I got it fixed... whilst following your instructions to switch off unrelevant progs in tray I later went to IE and typed in the 'dell' site and I noticed browser loaded NP and also got into Dell site which had been unable to do for several days, then the penny dropped, so i rebooted and began to individually switch off tray progs and test run IE,, 'it was the bleeding PeerGuardian that has been causing all this problem for weeks now. It was the fact that i did have that ?????? hijacker that promted me to come here, but i must have rid that during the following of the first sticky project.
    Feel a bit of a prat really but there again if you had not responded i would not have sussed what was amiss,, so thanks once again for your patience and guidance. now perhaps i can get on and try and fix friends dell laptop :)
     
    Toke, Jun 5, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome, but it would still be a good idea to post the follow up HJT log I requested so we can be sure nothing is left hanging around.
     
    chaslang, Jun 5, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds