IE browser hijack - "quick search shit"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by olias32, Jun 1, 2005.

  1. olias32

    olias32 Private E-2

    Please help me. My browser (IE 6) has been hijacked. I have read a lot of similar posts here, but none to fit exactly my problem. My default (blank) page has been replaced by "quick search something".

    I have downloaded AdAware, Spybot Search & Destroy and HiJackThis.
    I ran all of them several times, cleaned what they found, went into safe mode, manualy deleted all the suspicios dll and exe found by hijack (following other similar posts).

    However i guess there is one dll or exe i am not able to find, that keeps creating the other dlls and exes with ever changing names - they went thru: winmg32.exe, ntqu32.exe, d3rl.exe, vbmte.dll, winhz.exe

    E.g.
    vbmte.dll was used were you see now ordba.dll in the hijack log.

    I have attached the log. please help
     

    Attached Files:

  2. olias32

    olias32 Private E-2

    Ok back with good news.

    I kept on reading here on the forum and found a link to CWSShredder - CoolWebSearch Trojan Remover. I got it, ran it and i seem to be clean now.

    However, i still attached a Hijackthis log file - if anyone finds anything suspicious please let me know.

    Thanks
     

    Attached Files:

  3. Icelander

    Icelander Private First Class

    Okey there are a few things i can see that are wrong, there might be more that i cant see since i am still learning to read HJT logs

    Open Hijackthis and fix the following, Rember to have all browser windows shut when pressing fix

    R3 - Default URLSearchHook is missing

    Dont really see anything else, dont know what this is tho:

    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    Do you recognize it? iff not fix it.

    Its better you run nothing except Hijackthis when scanning and fixing with it!
     
  4. Icelander

    Icelander Private First Class

    Also..

    Do you recognize this?

    C:\3dsmax7\VRLServer.exe

    Secondly:

    C:\WINDOWS\system32\Wtablet\TabUserW.exe
    This should be running from c:\programme\tablette\ do you know why it is not running from there?
     
  5. olias32

    olias32 Private E-2

    Thanks a lot. I'll fix the line
    R3 - Default URLSearchHook is missing

    The www.hp.com line is something the system came with (i have a HP computer that came with Windows XP)

    C:\3dsmax7\VRLServer.exe is a program i set myself to autorun. It's no virus.

    C:\WINDOWS\system32\Wtablet\TabUserW.exe is correct also. The tablet installed as a second system pointing device, and TabUserW.exe is also a process i need to have running.

    Thank very much once again for your prompt answer.
     
  6. Icelander

    Icelander Private First Class


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds