'argvideo.com' homepage hijack - help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tenderloin australia, Aug 10, 2004.

  1. tenderloin australia

    tenderloin australia Private E-2

    Hi guys, Just having a few problems with a page that invades soon after logging onto IE. I'm running AVG 7, spybot and spy sweeper to no avail.
    Hijack This! lists my problem (017) but will not fix. The 'arg' prefix is a hassle with a google search for information and I can find no other info regarding people who have the same problem. Also tried CWS shredder to no avail. Spybot lists frequently OrganicCrap.Irc which cannot be removed. Didn't know if this had anything to do with it. Also checked lop.com probabilities, but no sites seem to list this 'arg' hijack. The Hijack This! report listing for the problem is as follows:

    017 - HKLM\System\CCS\Services\Tcpip\..\{A09766AE-3181-47F9-A1A7-D0E7AD94B041}: NameServer = 203.134.64.66 203.134.65.66

    Don't know if this is any help as I'm fairly new to the 'computer game'... Any help would be appreciated.
     
    tenderloin australia, Aug 10, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you think anything is wrong with the O17 line. Aren't the IP address shown you ISP. See what I decoded below.
    203.134.64.66 = [ nc1.syd.iprimus.net.au ]

    inetnum: 203.134.64.0 - 203.134.127.255
    netname: INTERNETPRIMUS
    descr: Primus Telecommunications
    descr: Internet Services Network
    country: AU
    admin-c: IN1-AP
    tech-c: IN1-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net
    19991119
    changed: apnic-dbm@apnic.net
    20000310
    status: ALLOCATED PORTABLE
    source: APNIC
    role: IPRIMUS NET
    address: Level 2
    address: 19 Pitt Street
    address: Circular Quay Sydney
    country: AU
    phone: 61-2-9423-2400
    fax-no: 61-2-9423-2410
    e-mail: netops@iprimus.com.au
    trouble: PLEASE EMAIL abuse@iprimus.com.au
    FOR
    trouble: ALL NETWORK ABUSE MATTERS.
    trouble: Please include detailed information and times in UTC.
    admin-c: JD29-AP
    tech-c: JD29-AP
    nic-hdl: IN1-AP
    remarks: http://www.iprimus.com.au
    notify: netops@iprimus.com.au
    mnt-by: MAINT-PRIMUS-AU
    changed: netops@iprimus.com.au
    20000321 source: APNIC
     
    Last edited: Aug 11, 2004
    chaslang, Aug 11, 2004
    #2
  3. tenderloin australia

    tenderloin australia Private E-2

    Chaslang,

    Thanks for your work. I primus is my ISP and I concluded the 017 line meant a hijacked home page due to the definition offered by Hijack This! I'll include the full scan with this reply.

    Have you heard of this 'argvideo' page appearing before?

    It maybe also worth noting, Spy Sweeper constantly traces 'Micr Update' - assesment unknown on the startup shield (soundblaster exe) and I find it unusual that when I click for more details, no company name, product name or copyright infortion is supplied.

    Sorry also about delays in responding as the time differences are extreme on this side of the world.

    Edit by chaslang: HJT log deleted!
    You have a bunch of trojans running. I' m going to add you HJT log back in as an attachment for you.
     

    Attached Files:

    Last edited by a moderator: Aug 11, 2004
    tenderloin australia, Aug 11, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to follow forum protocols! Please read and do as indicated in the below thread (you have thus far only used SpyBot & CWShredder from this link but make sure you used the correct versions indicated in the links. Your HijackThis is out of date for one.)
    http://forums.majorgeeks.com/showthread.php?t=35407

    And the follow the guidelines for posting HijackThis logs (attachments only and only when requested and shut down all unnecessary applications first)
    http://forums.majorgeeks.com/showthread.php?t=38752
     
    chaslang, Aug 11, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of Trojans on your PC. In addition to the online scans that are shown in the 35407 link I gave to you, run the items below too:

    http://www.ravantivirus.com/scan/
    http://www.bitdefender.com/scan/licence.php
    http://www.windowsecurity.com/trojanscan/

    McAfee Avert Stinger: http://www.majorgeeks.com/download4063.html
    Avast Virus Cleaner: http://www.majorgeeks.com/download4188.html

    After doing everything in this post and my previous post, do another HijackThis scan (use correct version, shut down all applications including IE) and post as an attachment.

    As a heads up, here are the items in you HJT log that I'm concerned about:
    O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
    O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
    O4 - HKLM\..\Run: [Microsoft Dev] iexplorer32.exe
    O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
    O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
    O4 - HKLM\..\RunServices: [Microsoft Dev] iexplorer32.exe
    O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
    O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
    O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
     
    Last edited: Aug 11, 2004
    chaslang, Aug 11, 2004
    #5
  6. tenderloin australia

    tenderloin australia Private E-2

    Chaslang,

    Thanks for the advice and I will follow your proceedures as requested. Thanx and I'll let you know how it goes... Regards Tender
     
    tenderloin australia, Aug 12, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, get back to me when you finish!
     
    chaslang, Aug 12, 2004
    #7
  8. tenderloin australia

    tenderloin australia Private E-2

    G'day Chaslang!

    That took a lot longer than expected!!

    Anyway, here's what I've done by following your instructions 'to the book'.

    1. Updated windows
    2. Disable system restore.
    3. Checked network security etc.
    4. Enabled viewing of hidden files etc.
    5. Scanned with avg7
    6. Boot into safe mode etc.
    7. Used CCleaner
    8. Used Ad-ware - 4 traking cookies found and 'possible hijack'
    9. Spybot - found 4 x DSO Exploit as usual - fixed - and returned as usual
    found OrganicCrap.Irg (x2) as usual.... ditto!
    10. used cws shredder - nothing found
    11. Scanned again with avg and then A2 - nothing discovered
    12. Rav scan - see attatchment
    13. Bitdefender used.. It took over an hour!! but picked up the following which must be in the avg virus vault:

    Master Boot Record 80 ok (Windows 95 B20 - Windows 98)
    Partition Boot 1 (primary) (active) ok (Windows NT 2000 NTFS)
    Boot Sector of Drive A: ok (Read Error)
    C:\$VAULT$.AVG\00000009.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000009.FIL unable to disinfect
    C:\$VAULT$.AVG\00000009.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000009.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000010.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000010.FIL unable to disinfect
    C:\$VAULT$.AVG\00000010.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000010.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000011.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000011.FIL unable to disinfect
    C:\$VAULT$.AVG\00000011.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000011.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000012.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000012.FIL unable to disinfect
    C:\$VAULT$.AVG\00000012.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000012.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000013.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000013.FIL unable to disinfect
    C:\$VAULT$.AVG\00000013.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000013.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000014.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000014.FIL unable to disinfect
    C:\$VAULT$.AVG\00000014.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000014.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000015.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000015.FIL unable to disinfect
    C:\$VAULT$.AVG\00000015.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000015.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000016.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000016.FIL unable to disinfect
    C:\$VAULT$.AVG\00000016.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000016.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000017.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000017.FIL unable to disinfect
    C:\$VAULT$.AVG\00000017.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000017.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000018.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000018.FIL unable to disinfect
    C:\$VAULT$.AVG\00000018.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000018.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000019.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000019.FIL unable to disinfect
    C:\$VAULT$.AVG\00000019.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000019.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000020.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000020.FIL unable to disinfect
    C:\$VAULT$.AVG\00000020.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000020.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000021.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000021.FIL unable to disinfect
    C:\$VAULT$.AVG\00000021.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000021.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000022.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000022.FIL unable to disinfect
    C:\$VAULT$.AVG\00000022.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000022.FIL.OLD unable to disinfect
    C:\$VAULT$.AVG\00000047.FIL infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000047.FIL unable to disinfect
    C:\$VAULT$.AVG\00000047.FIL.OLD infected: Win32.Worm.Sasser.2.Gen
    C:\$VAULT$.AVG\00000047.FIL.OLD unable to disinfect
    C:\WINDOWS\system32\drivers\etc\hosts infected: Trojan.Qhosts.B
    C:\WINDOWS\system32\drivers\etc\hosts unable to disinfect
    C:\WINDOWS\system32\iexplorer32.exe=>(PE-Diminisher) infected: Backdoor.Agobot.3.Gen
    C:\WINDOWS\system32\iexplorer32.exe=>(PE-Diminisher) unable to disinfect
    C:\WINDOWS\system32\msnmsgr.exe=>(PE-Diminisher) infected: Backdoor.SDBot.Gen
    C:\WINDOWS\system32\msnmsgr.exe=>(PE-Diminisher) unable to disinfect
    C:\WINDOWS\system32\soundblaster.exe=>(FSG 2.0) infected: Backdoor.SDBot.Gen
    C:\WINDOWS\system32\soundblaster.exe=>(FSG 2.0) unable to disinfect
    C:\WINDOWS\system32\TFTP1612=>(PE-Diminisher) infected: Backdoor.SDBot.Gen
    C:\WINDOWS\system32\TFTP1612=>(PE-Diminisher) unable to disinfect
    C:\WINDOWS\system32\TFTP2848=>(PE-Diminisher) infected: Backdoor.SDBot.Gen
    C:\WINDOWS\system32\TFTP2848=>(PE-Diminisher) unable to disinfect
    C:\WINDOWS\UnstSA2.exe=>(Embedded EXE o) infected: Trojan.Clicker.Delf.R

    14. applied windows trojan scan - nil!
    15. Stinger - delated 2 files, repaired 1
    16. applied Avast - no infection found

    I hope this is of assistance.

    Just a few questions... Should I remain in safe mode, continue to show hidden files and should I turn system restore back on?

    Also my ISP recommended not using a firewall???? what do you think? Is the one that came with my computer, windows XP Pro, to be used at all times?

    Thanx so much for your help.......Although with this 'argvideo hijack', it's taken me roughly 7 hours to do what you suggested with slow downloads etc.

    Makes one feeling like strangling someone, doesn't it!!!!

    regards... miss tender
     

    Attached Files:

    tenderloin australia, Aug 12, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I cannot understand why your ISP would recommend not having a firewall. That is pretty dumb on their part. I would ask them why they do not want your PC to be protected. Do they think they are doing it for you? Doesn't look like it, does it? Yes the one that came with WinXP could be used but there are other free ones you can download from MG's:

    http://majorgeeks.com/download3356.html Sygate Personal Firewall Free
    http://www.majorgeeks.com/download388.html ZoneAlarmFree

    No you do not need to remain in safe mode but do leave on viewing on hidden files. No do not enable System Restore yet. We have to get rid of these trojans first.

    So let's begin. FIrst get HijackThis out of the Temp directory and into its own directory where it can safely store backups. I suggest creating a C:\Program Files\HJT directory and putting the hijackthis.exe file in there. One more thing about HJT, when saving your log, save it to a .txt file not a .doc file. Makes viewing a liitle easier with notepad rather than Word.

    Bring up Task Manager by hitting CTRL-ALT-DEL and select the Processes tab.
    Now look for the below processes and if found, End them (let me know if you have a problem with any of them):
    winsys32.exe
    cmsssr.exe
    iexplorer32.exe
    soundblaster.exe

    Now run HijackThis and put check marks on the following items but do not FIX yet:
    O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
    O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
    O4 - HKLM\..\Run: [Microsoft Dev] iexplorer32.exe
    O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
    O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
    O4 - HKLM\..\RunServices: [Microsoft Dev] iexplorer32.exe
    O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
    O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
    O4 - HKCU\..\Run: [Micr Update] soundblaster.exe

    Now exit all Internet Explorer (or other browser) sessions and then click Fix in HijackThis.

    Now reboot in safe mode again and delete the following (some did not show a path so we need to check multiple places):
    C:\WINDOWS\System32\soundblaster.exe
    C:\WINDOWS\System32\iexplorer32.exe
    C:\WINDOWS\System32\winsys32.exe or C:\WINDOWS\System\winsys32.exe or C:\WINDOWS\winsys32.exe
    C:\WINDOWS\System32\cmsssr.exe or C:\WINDOWS\System\cmsssr.exe or C:\WINDOWS\cmsssr.exe

    If you have a problem deleting any of these, use Task Manager again and make sure they are not running. If so, end them and then delete.

    Now reboot in normal mode and tell me how things are looking. Run another HijackThis scan and lets verify all of these items are gone.

    By the way, why not see if you can empty AVG' vault so those virus files are no longer showing up.
     
    Last edited: Aug 12, 2004
    chaslang, Aug 12, 2004
    #9
  10. tenderloin australia

    tenderloin australia Private E-2

    Hi again Chaslang,

    I'm about to get to work with this again... Forgive me if it takes some time, as I said before I'm fairly new to this... I'll see how I go.

    Regards Tender.
     
    tenderloin australia, Aug 12, 2004
    #10
  11. tenderloin australia

    tenderloin australia Private E-2

    Me again!!

    Last night I created a folder specifically for Hijack this in 'my Documents'.... Obviously this is still a temporary location.

    How exactly should I set up the directory you suggested?

    Also, I did have problems uploading my hijackthis scan details from notepad, hence the word document. I'll have another go at it and will let you know how I go.
     
    tenderloin australia, Aug 12, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I should be around for at least a little while longer. I have some storms heading my way. When they get hear, I'll be shutting down for the night.
     
    chaslang, Aug 12, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you know how to use Windows Explorer to get around, you can just use it to create a new folder. Select the c:\program files directory in the left window pane and then click File, New, Folder, and then enter the name for the folder (over writing the default name "New Folder") so you would just type HJT and hit the enter key. Then Unzip the new HijackThis file to that folder or Move it from where you have it now using Windows Explorer.

    When you create the HijackThis log, you need to click Save log, and then change the "Save as type" to All files (*.*) then in the File name: box change the file name to hijackthis.txt rather than hijackthis.log. Now you will be able to upload it.
     
    chaslang, Aug 12, 2004
    #13
  14. tenderloin australia

    tenderloin australia Private E-2

    Hi chaslang,

    Found process tab as suggested.

    Managed to end :iexplorer32.exe
    :soundblaster.exe

    The following were not present to end: wynsys32.exe
    : cmsssr.exe
     
    tenderloin australia, Aug 12, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But you should really Exit all Internet Explorer sessions now and continue. Copy the procedure locally to a text file or print it. Then continue while not connected here.

    The file name was winsys32.exe not wynsys32.exe
     
    chaslang, Aug 12, 2004
    #15
  16. tenderloin australia

    tenderloin australia Private E-2

    Chaslang.... Once again just making sure I do this correctly...

    Followed your instructions in post#9 and am ready to reboot in safe mode after clicking fix in HJT.

    When I delete the following: c:\WINDOWS\System32\soundblaster.exe etc.

    do you mean doing it with HJT again?

    I've used the task manager again and none are running.

    Cheers, Tender
     
    tenderloin australia, Aug 12, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Not with HijackThis. You need to physically delete the files using Windows Explorer.
    Just in case these files are hidden you should also enable viewing of hidden files and folders right now:
    http://forums.majorgeeks.com/showthread.php?t=37650
     
    chaslang, Aug 12, 2004
    #17
  18. tenderloin australia

    tenderloin australia Private E-2

    Chaslang...

    Aren't you glad I checked!!! Sorry to be such a pain! Will be back shortly.
     
    tenderloin australia, Aug 13, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! It's getting late here....need some sleep soon. I've been putting in too many 18 hour days. What time is it down under? It's 12:13 am here.
     
    chaslang, Aug 13, 2004
    #19
  20. tenderloin australia

    tenderloin australia Private E-2

    Chaslang,

    I appreciate your help. I've also got go and to get to night classes so I'll hit you with my troubles later and will wait for any advice before doing something stupid. Its 2.18pm Friday here. I'll chat to you soon... Miss Tender.
     
    tenderloin australia, Aug 13, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oooh! 14 hours difference. Make sure you complete the steps though. If you wait, you could bring problems back. Plus we need to disable system restore to remove virus/trojans from restore points. The longer yo wait, the greater the chance of these problems coming back.
     
    chaslang, Aug 13, 2004
    #21
  22. tenderloin australia

    tenderloin australia Private E-2

    Dear Chaslang,

    I'm back!!!

    System restore has been disabled for some time and I think we've got rid of some troubles. Ie: When Sptbot's run, I no longer get the OrganicCrap.Irc but the DSO thing is still there.

    I've still got this homepage hijack problem though... Only it's now titled 'dickmagazine' rather than 'argvideo'.

    Spysweeper is still getting lots of the soundblaster.exe (Micr. Update) all the time, and as you will note from the HTJ attatchment, it's still lingering despite following everything as mentioned.

    I end program as you advised under Windows Task Manger - processes and it keeps on returning.

    Anyway, I've got a few classes over the next few days, so when I get the chance, I look forward to your response and advice... Regards... Miss Tender
     

    Attached Files:

    tenderloin australia, Aug 15, 2004
    #22
  23. tenderloin australia

    tenderloin australia Private E-2

    Chaslang..............P.S......................

    I forgot to mention... I had no luck deleting files in widows explorer... I tried searching for the files by typing in the address bar in safe mode and looked in System 32 and couldn't see anything like any of the files you suggested. Should I have gone about it in another way?

    Miss Tender..........
     
    tenderloin australia, Aug 15, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we need to get rid of the soundblaster.exe and the c:\windows\system\winlogon.exe file too.
    NOTE: Not the c:\windows\system32\winlogon.exe file. That one is okay.
    Follow these steps exactly even if you think you did some of them before:

    1) First we are going to enable view of hidden files again and also check a few other settings:
      • Click Start.
      • Open My Computer.
      • Select the Tools menu and click Folder Options.
      • Select the View Tab.
      • Under the Hidden files and folders heading select Show hidden files and folders.
      • Uncheck the Hide extensions for know file types
      • Uncheck the Hide protected operating system files (recommended) option.
      • Click Yes to confirm.
      • Click OK.
    2) Run HijackThis and put check marks on the following but do not click Fix yet (notice there are three different lines having soundblaster.exe on them):


    O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
    O4 - HKCU\..\Run: [Micr Update] soundblaster.exe

    Now exit all Internet Explorer sessions and then click Fix in HijackThis.

    3) Immediately reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    4) Run Windows Explorer and in the Address: field enter C:\WINDOWS\SYSTEM
    (DO NOT DO THIS IN SYSTEM32) then hit the enter key. Now in the right pane scroll accordingly and locate winlogon.exe. When you find it, right click on it a select Delete. If you get a denied message, run Task Manager and end the winlogon.exe processes (you may see two of them). Now delete the file. Let me know if you have any problems here and tell me exactly what error messages you get.

    5) Run Windows Explorer and in the Address: field enter C:\Windows\System32\Wins
    and if you find the winlogon.exe file here delete it as per step 4. Note: you may not have this directory on your PC at all. Let me know one way or the other.

    6) Run Windows Explorer and in the Address: field enter C:\WINDOWS\SYSTEM32
    (YES THIS TIME IT IS SYSTEM32) then hit the enter key. Now in the right pane scroll accordingly and locate soundblaster.exe. When you find it, right click on it a select Delete. If you get a denied message, run Task Manager and end the soundblaster.exe process. Now delete the file. Let me know if you have any problems here and tell me exactly what error messages you get.

    7) Not reboot in normal mode a give me a new HJT log attachment.
     
    Last edited: Aug 15, 2004
    chaslang, Aug 15, 2004
    #24
  25. tenderloin australia

    tenderloin australia Private E-2

    Chaslang,

    Hope you had a great weekend.

    I've followed your latest steps:

    * Located winlogon.exe and deleted
    * Found folder: C:\Windows\System32\Wins - folder empty
    * Could not find any trace of soundblaster.exe in System 32 as intructed in step #6.

    P.S. I haven't had the homepage hijack occur this morning, as before it was cutting in seconds after entering IE.

    Attached is my latest HJT report - Regards Miss Tender
     
    tenderloin australia, Aug 16, 2004
    #25
  26. tenderloin australia

    tenderloin australia Private E-2

    Sorry Chaslang,

    Don't think attatchment went thru... Will try again.
     

    Attached Files:

    tenderloin australia, Aug 16, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Tender,

    The weekend was full of rain! How about yours?
    It's strange that you could not find the soundblaster.exe file. Maybe we should do a search for it.
     
    chaslang, Aug 16, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well maybe it is not necessary? The lines loading it are gone and the process is not running either. Congratulations! Your log is clean.
     
    chaslang, Aug 16, 2004
    #28
  29. tenderloin australia

    tenderloin australia Private E-2

    Thats sounds great. Thanks for all your assistance and putting up with this process.

    The fire wall I downloaded (sygate) has been blocking soundblaster... I forgot to mention.

    Also, I will get in touch with my ISP and let you know exactly why they suggested I disable my original firewall... When I've had past problems, every operater has made mention of this over the telephone.

    Once again Thanx and I will keep you informed of any re-occurences... If you don't mind.. Miss Tender.
     
    tenderloin australia, Aug 16, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem, keep in touch.

    You ISP probably said that for debugging purposes so they can be sure that your problems did not result from improperly setting up the firewall. Obviously you could set it up wrong and block all or certain internet traffic. So they are just making sure the problem is not your fault. But they should not be telling you to "not use a firewall".
     
    chaslang, Aug 16, 2004
    #30

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds