please help hijacked browser

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by steve628, Oct 14, 2004.

  1. steve628

    steve628 Private E-2

    Hi there,

    I hope you can help me with this because I have been fighting these problems for 2 weeks now. I'm running windows XP, I have been running Spy Bot Search and Destroy, Ad aware and Spykiller 2005. I have tried to remove the spyware with these programs, but they keep coming back. I'm the administrator on my computer, I have 2 other users in which they can't even log on to use the computer, it freezes up and cannot get on internet explorer at all. I can get on the computer as the administator and no problems but having continual pop ups. Also just today my default homepage changed to iwantsearch.com. I downloaded hijackthis and run the scan to show you what I have. I appreciate your help. Thanks Steve
     

    Attached Files:

    Last edited by a moderator: Oct 15, 2004
  2. jarcher

    jarcher I can't handle a title

    please dont post a Hjt log file untill asked to
    when you are asked you will be told to attach it as a .txt file
    and to close any non-vital programs


    first go through the
    "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal"

    here:
    http://forums.majorgeeks.com/showthread.php?t=35407

    then if need be that will refer you to "NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting"
    here:
    http://forums.majorgeeks.com/showthread.php?t=38752

    follow each thread exactly
    and if you still have a problem let us know


    oh. . .
    and for the new.net
    go to add\remove programs after disabliing system restore
    then fix them in HJT
    (but that can be worked on later if need be)
    good luck
     
  3. PhilliePhan

    PhilliePhan Guest

    Hi Steve,

    Before you start the tutorial Jarcher linked, look in add or remove programs and remove the following, if found:
    New.Net
    WinTools
    Web Offer
    BestPopUpKiller
    ~ This just sounds like a Rogue – If you know better, then leave it
    SBSoft
    Apropos Media


    Also, look for programs similar to the above and make note of them.

    To try to make a dent in your log, check these boxes to have HJT “fix” the following. Make sure ALL browser windows are closed when you click FIX:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50196

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwantsearch.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O2 - BHO: (no name) - SOFTWARE - (no file)

    O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\rundlg32.dll (file missing)

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} –
    C:\PROGRA~1\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\rundlg32.dll (file missing)

    O4 - HKLM\..\Run: [ZOcW7] C:\documents and settings\steve\local settings\temp\ZOcW7.exe

    O4 - HKLM\..\Run: [IA8PAG3] c:\documents and settings\steve\local settings\temp\IA8PAG3.exe

    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\system32\NuzK63G.exe

    O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe

    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

    NOTE that this is just to make a dent before running the TUTORIAL. Some of these items will come back and some I left out or missed.

    You have Trojan problems, including a Peper Trojan
    . You NEED to run the additional scans in the tutorial and use the A-Squared tool as well.

    Also download LSP-Fix in case you will need it later.

    Let us know how you fare with the Tutorial.

    Best luck,

    PP
     
    Last edited by a moderator: Oct 14, 2004
  4. jarcher

    jarcher I can't handle a title

    be very careful with LSP fix
    read the read me at least twice before using it
    and note that just because there is nothing in the right box(youll see)
    that doesnt mean it wont work

    if you do end up having to use it
    tell us what it finds before doing anything else. . . .
     
  5. PhilliePhan

    PhilliePhan Guest

    Do Not Use LSP Fix. Just wanted you to have it on hand IN CASE you might need it due to NewDotNet.

    PP
     
  6. steve628

    steve628 Private E-2

    hello,
    I just wanted to let you know how I have come out. I did all the scanning and cleaning steps that you suggested. As of now my other users can log on to their user and surf the web. I did all the steps you said in safe mode except the CWShredder, Kill2me, Buster and HSRemove had to be in normal mode. I can't rember which scan I did but I came acrossed 3 trojans, one was TROJ REVOP.F and two of them were TROJ AGENT.BN, it would clean them but it said it deleted them. I'm still getting some annoying pop ups but it still better than what it was. Should post my hijackthis? Please advise and thanks for your help.
     
  7. jarcher

    jarcher I can't handle a title

  8. steve628

    steve628 Private E-2

    ok here is my hijack log. thanks for checking on this.
     

    Attached Files:

  9. jarcher

    jarcher I can't handle a title

    disable system restore
    go to add/remove programs
    remove new.net
    Run Spy-bot S&D


    close all browser windows(including this one)
    close all tray items
    the only thing that shoul be running is HJT


    and fix these
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

    EDIT BY CHASLANG: THESE LINES BELOW ARE A PROBLEM BUT DO NOT FIX THEM YET. AT LEAST NOT WITH HJT. THIS COULD BREAK YOUR INTERNET CONNECTION. Download LSPFix (http://www.cexx.org/lspfix.htm) But do not run it yet.
    Also get LSP Explorer for Ad-Aware SE and install it and run it. When the LSP window comes up right click on Layered Service Providers and first choose Export text document to save it to a file you can post back here. Then right click again and choose Backup and save it to a place where you can locate it if needed. Now upload as an attachment your Exported text file.
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net



    this
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

    is put there by windows, if you do not use Microsoft Money it is safe to remove

    then go to add?remove windows>add?remove system components
    and un check it. . .
     
    Last edited by a moderator: Oct 19, 2004
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should also fix a problem with SpyBot that cause several malware items (including new.net) to be ignored.

    Fixing SpyBot's Ignore Products Bug:
    I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
    Advanced mode. Then select Settings and the in the left column select Ignore Products.
    In the right window pane make sure the All products tab is selected. Then in that
    window, right click your mouse and choose "Deselect all". Now in the left pane click
    at the top on SpyBot S&D and then choose Search for Updates. Download any updates
    required. Now click Check for Problems. Fix any that are found.

    Let me know if it finds and fixes the new.net problem in your HJT log automatically.
     
  11. jarcher

    jarcher I can't handle a title

    thanks chaslang
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    WebOffer should be uninstalled via Add/Remove programs.

    Here are some additional item that must be fixed.
    Make sure system restore is disabled and viewing of hidden file is enabled.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
    C:\WINDOWS\system32\capesnpn.exe
    C:\WINDOWS\system32\avmeter2.exe
    C:\WINDOWS\system32\Sty5.exe
    C:\WINDOWS\system32\EngpK.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [dd288fc3d452] C:\WINDOWS\system32\capesnpn.exe
    O4 - HKLM\..\Run: [qFtT32j] diashare.exe
    O4 - HKLM\..\Run: [57977f4c6a22] C:\WINDOWS\system32\avmeter2.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\system32\NuzK63G.exe
    O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe <-- this is NOT Task Manager


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\capesnpn.exe
    C:\WINDOWS\diashare.exe or C:\windows\system32\diashare.exe
    C:\WINDOWS\system32\avmeter2.exe
    C:\WINDOWS\system32\NuzK63G.exe
    C:\windows\system32\taskmgn.exe



    SpywareKiller should be uninstalled (Via Add/Remove programs) along with BestPopUpKiller which I believe is by the same people. It is on a list of rogue/suspect spyware removal tools. See the below link.
    http://www.spywarewarrior.com/rogue_anti-spyware.htm
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
     
  13. steve628

    steve628 Private E-2

    Hello,

    I'm still having problems, I did all the steps that chaslang suggested. The Weboffer folder was not in the add/remove program so I didn't remove it. In the Task manager process I did all of the end tasks. I also ran hijack this and fixed all of them. I went to windows explorer and deleted all that was stated on the post except I couldn't find the diashare.exe. I also uninstalled the spykiller and best pop up killer. I'm still getting some pop ups but not as many as I had previously, but still getting one from sandboxer.com. and z1/adserver.com. I also ran spybot and I had removed 5 of 7 registry entries from NewDotNet and I still cannot remove 2 of them which are HKEY_USERS\S-15-18\Software\new.net and HKEY_USERS\.DEFAULT\Software\new.net. Also after I rebooted my Easy CD Creator wanted to start installing ann d I received a message saying DIRECTCD.EXE unable to locate component this application has failed to start because OLEPRO32.DLL was not found. reinstalling may fix this problem. I also tried to update my norton anti virus and it also stated the OLEPRO32.DLL was not found, so I can't update Norton. I also noticed on my start taskbar I only having 2 programs on the start uo which is norton and my volume icon, I had several other icons running there before. I also tried to run my AD aware scan it also errored out and won't work. I received an error about Kernal32.dll from this. Please advise and thank you.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    sandboxer is typcially related to a peper trojan. Please run these two items:
    http://www.memorywatcher.com/uninst.exe
    http://tools.zerosrealm.com/PeperFix.exe

    Spybot has a bug in its default config that sets it to ignore new.net problems.
    Did you fix Spybot as I mentioned in an earlier message?

    If you did not find WebOffer in Add/Remove programs you will need to fix it using HijackThis and then delete its folder.

    I'm not sure why you are having problems with OLEPRO32.DLL missing now. Nothing we did should have removed this file. You may be able to copy it from C:\i386\olepro32.dll back to c:\windows\system32\olepro32.dll (assuming you have the c:\i386 directory). Otherwise you should be able to get the file from your Win XP CD and expand it (files on the CD are typically compressed and it will be named olepro32.dl_ and will be in the \i386 folder of the CD. You need to use the expand command at a cmd prompt to expand it from the CD to your c:\windows\system32 folder). However since your system has been updated to SP2 you may find by searching your system for olepro32.dll that you have a copy for the upgrade to SP2 in a folder under c:\windows\Software Distribution\Download that you can copy.

    I don't understand the kernal32.dll error either.

    Are you sure you deleted: C:\windows\system32\taskmgn.exe
    and not C:\windows\system32\taskmgr.exe
     
  15. steve628

    steve628 Private E-2

    I tried to to run uninst.exe and it wouldn't run without password for the ad.dat file. do I need this password to run this? yes I did the fix bot and it still won't remove 2 entries from new net. Also when I run hijackthis it does not show weboffer on it. Also I delete taskmgn.exe and not taskmgr.exe.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When running uninst.exe, I have never seen a message occur about requiring a password for ad.dat or any other file. Check you computer for a file named ad.dat. Where is it located?

    Are the entries for new.net still
    HKEY_USERS\S-15-18\Software\new.net
    HKEY_USERS\.DEFAULT\Software\new.net

    You should be able to delete these manually using regedit.

    Do you have multiple user accounts on this PC? You should run everything run thus far on the other user accounts too. Also make sure system restore is still disabled. Empty your Recycle bin too.

    What about the kernel32.dll problem and the OLEPRO32.DLL problem?
     
  17. steve628

    steve628 Private E-2

    I tried running uninst.exe with no problem now. I haven't removed the 2 new.net registry keys yet. I guess my question now is when I remove these should my system restore be off? On the OLEPRO32.DLL i got that resolve and now able to update my norton anti virus. The kernel32.dll I haven't fixed but the only thing that I can't run is my ad-aware. Should I uninstall it and reinstall to see if it will work? I do have 2 other users besides myself on this PC. Overall everything is running better, I have no more pop ups and all and my system seems to be alot faster. I do have some more questions though, I noticed on my hard drive there are some things I don't recognize, I have the following there all_icons.exe, overpro-347.exe, webrebates_auto_installer.exe. I also noticed some files under my program files folder too, weboffer is still there, cxtpls.exe, SEP, and maxspeed. All of these are not on my add/remove at all except SEP and maxspeed. Do you have any suggestions on these? I take it these are still spyware. If I run hijackthis none of these show up to remove them. If you like I could post a log file for you. Again I appreciate all your help because I couldn't have gotten this far without you. Thanks again!!!
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It would be easier if you asked you quesions in a list format rather than written out like this.

    System restore should have been off from the start of the process until you had everything fixed.

    If you are having problems with Ad-Aware SE, uninstall it, reboot, and then re-install.

    The files on your harddisk (you should have give the full path to the files):
    all_icons.exe - don't know, probably a download that installs icons. If you don't know what it is you should probably delete it.
    overpro-347.exe - don't know
    webrebates_auto_installer.exe - delete it
    weboffer - look for an Uninstall in Add/Remove programs, otherwise delete it
    cxtpls.exe - delete it. See http://www.giantcompany.com/antispyware/research/spyware/spyware-AproposMedia.aspx
    SEP - this is SideSearch, uninstall or delete it: http://doxdesk.com/parasite/Sidesearch.html
    maxspeed - I believe this is dial-up download accelerator. Did you install it? If not, it's up to you what to do with it.

    And you're welcome.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds