Need help removing a Hijacked homepage

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Legaeveth, Jun 18, 2004.

  1. Legaeveth

    Legaeveth Private E-2

    Here is the log file, if you need me to give you anymore info ask away im not the most computer friendly person.

    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 12:40:27 PM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\javalm.exe
    C:\WINDOWS\system32\javajl.exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\U7834H0D\HijackThis[2].exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eyxso.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eyxso.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eyxso.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eyxso.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eyxso.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eyxso.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A8EDB036-4D54-9260-4A3A-5F029E67878B} - C:\WINDOWS\system32\mfcqo.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [system] dcomx.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /QS
    O4 - HKLM\..\Run: [javalm.exe] C:\WINDOWS\javalm.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\RunServices: [system] dcomx.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlins.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned41.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1112152778
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Legaeveth, Jun 18, 2004
    #1
  2. Legaeveth

    Legaeveth Private E-2

    Little more info to add I ran both spybot and adaware i have the latest versions on each I also ran Norton antivirus and nothing came up that to is also up to date. Not sure what else to add.
     
    Legaeveth, Jun 18, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 18, 2004
    #3
  4. Legaeveth

    Legaeveth Private E-2

    I read both posts I do not understand how to get to the places it's refering to a little help would be appreciate im not the most computer friendly operator.
     
    Legaeveth, Jun 18, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! We will try to work with you. But give me a little more specific info. I'm not sure what you meant by " I do not understand how to get to the places it's refering to". What exactly do you mean? I have a feeling that those threads went way over your head and the terminology (things like regedit, process explorer, etc) has you lost. Forgive me if I wrong, but I'm just trying to get a feel of your PC knowledge. You implied in you message that you do not have too much computer background.

    It is going to require some detail digging to work on this problem. And I guarantee you will probably learn a lot but it will require some hard work on your part.
     
    chaslang, Jun 19, 2004
    #5
  6. Legaeveth

    Legaeveth Private E-2

    don't understand what the microsoft managment console is talking about nor the network security service.

    Thanks all from the first link..
     
    Legaeveth, Jun 19, 2004
    #6
  7. Legaeveth

    Legaeveth Private E-2

    tried to edit, it timed out on me.

    Step 2 I don't understand what this browser helper object is talking about? elaborate if you could barney style.

    step 3 is this telling me inside the hjt file after you hit scan to delete certain files cause the only exe file on that list that looks funny to me is the winor32.exe file

    step 5 this all went over my head how do i get to the system32 folder and i have no clue about this regedit deal all together.

    I wasn't kidding when I said I don't know jack. Thank you for taking the time to help all this info came fromt he first link.
     
    Legaeveth, Jun 19, 2004
    #7
  8. Legaeveth

    Legaeveth Private E-2

    Here is my latest hjt file to help lessen the confusion on my part also adding my latest adAware log file below the hjt one.


    Logfile of HijackThis v1.97.7
    Scan saved at 12:47:23 AM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\javajl.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\system32\winor32.exe
    C:\My Downloads\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rqvko.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rqvko.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rqvko.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rqvko.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rqvko.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rqvko.dll/sp.html#96676
    O2 - BHO: (no name) - {23F257E0-B066-AEB7-2685-85F0FCB6FA44} - C:\WINDOWS\system32\winor32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [winor32.exe] C:\WINDOWS\system32\winor32.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlins.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned41.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1112152778
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab










    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Saturday, June 19, 2004 12:14:55 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R319 15.06.2004
    ______________________________________________________
    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R319 15.06.2004
    Internal build : 251
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 1243271 Bytes
    Signature data size : 1222976 Bytes
    Reference data size : 20231 Bytes
    Signatures total : 27234
    Target categories : 10
    Target families : 497
    6-19-2004 12:14:45 AM Error retrieving update

    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium IV
    Memory available:82 %
    Total physical memory:1571852 kb
    Available physical memory:1278380 kb
    Total page file size:2446508 kb
    Available on page file:2363708 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2054748 kb
    OS:
    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file
    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result

    6-19-2004 12:14:55 AM - Scan started. (Custom mode)
    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 6-19-2004 3:48:18 AM
    BasePriority : Normal

    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 6-19-2004 3:48:28 AM
    BasePriority : High

    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-19-2004 3:48:32 AM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/18/2001 11:00:00 AM
    Last accessed : 6/19/2004 3:36:53 AM
    Last modified : 8/18/2001 11:00:00 AM
    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-19-2004 3:48:32 AM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/18/2001 11:00:00 AM
    Last accessed : 6/19/2004 3:36:53 AM
    Last modified : 8/29/2002 10:41:26 AM
    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-19-2004 3:48:35 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/18/2001 11:00:00 AM
    Last accessed : 6/19/2004 3:36:53 AM
    Last modified : 8/18/2001 11:00:00 AM
    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-19-2004 3:48:35 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/18/2001 11:00:00 AM
    Last accessed : 6/19/2004 3:36:53 AM
    Last modified : 8/18/2001 11:00:00 AM
    #:7 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 6-19-2004 3:48:46 AM
    BasePriority : Normal
    FileSize : 973 KB
    FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
    ProductVersion : 6.00.2800.1221
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 5/12/2003 1:12:10 AM
    Last accessed : 6/19/2004 3:55:51 AM
    Last modified : 5/12/2003 1:12:10 AM
    #:8 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 6-19-2004 4:14:39 AM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 5/26/2004 8:47:32 AM
    Last accessed : 6/19/2004 4:14:39 AM
    Last modified : 7/13/2003 1:00:20 AM
    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0

    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0

    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Category : Data Miner
    Comment : Possible browser hijack attempt
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Category : Data Miner
    Comment : Possible browser hijack attempt
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 2

    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    CoolWebSearch Object recognized!
    Type : File
    Data : a0000066.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 6/12/2004 1:56:50 PM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 6/12/2004 1:56:50 PM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000067.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 6/4/2004 10:58:45 AM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 6/4/2004 10:58:45 AM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000068.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 5/28/2004 4:13:49 AM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 5/28/2004 4:13:49 AM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000069.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 6/1/2004 8:09:11 AM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 6/1/2004 8:09:11 AM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000070.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 5/31/2004 11:40:46 PM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 5/31/2004 11:40:46 PM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000071.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 6/3/2004 7:51:03 PM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 6/3/2004 7:51:03 PM

    CoolWebSearch Object recognized!
    Type : File
    Data : a0000072.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\
    FileSize : 70 KB
    Created on : 5/24/2004 6:54:34 PM
    Last accessed : 6/19/2004 4:09:47 AM
    Last modified : 5/24/2004 6:54:34 PM

    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 9

    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 9

    12:21:23 AM Scan complete
    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:06:28:484
    Objects scanned :173764
    Objects identified :9
    Objects ignored :0
    New objects :9
     
    Legaeveth, Jun 19, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First lets talk about the Network Security Service:

    Go to Start->Run and type "Services.msc" (without quotes) then hit OK.
    Scroll down and find the service called "Network Security Service".

    This is part of how this problem is protecting itself. If you don't see this in the list, it is not running.

    What the fixes were suggesting is to look to see if this service is running and when you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply.
     
    chaslang, Jun 19, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Step 2: The BHO they are referring to is showing up in the HijaakThis log. A line that looks something like:
    O2 - BHO: (no name) - {C726D36D-9BDF-0383-F849-161DD3B7B85F} - C:\WINDOWS\system32\netiq32.dll

    [font=Arial, Helvetica, adobe-helvetica, Arial Narrow]A BHO is a COM.DLL that allows developers to customize and control internet explorer. When it starts it reads the registry to locate installed bho's and then creates them.[/font]​

    From your log, the one I suspect is:
    O2 - BHO: (no name) - {23F257E0-B066-AEB7-2685-85F0FCB6FA44} - C:\WINDOWS\system32\winor32.dll​




    Step 3: This is where the research on your part begins. Everyone's problem file will not be the same. The items that look suspicious to me are:

    O4 - HKLM\..\Run: [winor32.exe] C:\WINDOWS\system32\winor32.exe​

    Step 5: They are saying run Windows Explorer and navigate into your c:\windows\system32 directory. You are going to need to have the ability to view hidden files enabled (read this: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)

    They are telling you to hunt down all suspicious files and delete them. But you really need to know what you are doing here. You do not want to delete files required by Windows. This is part of the reason a reference was made to look at http://www.liutilities.com/products/wintaskspro/processlibrary/
    so you could compare filenames you find to files that are known security risks and ones that are valid Windows System Processes. (I told you it is going to take some work).

    regedit is the registry editor. You run this by clicking Start, Run and then entering regedit, then click OK. This is again EXTREMELY dangerous if you do not know what you are doing. Be very careful here do not get click happy. And do not delete or edit anything in the registry without some guidance from an expert. You should really backup your registry first before using regedit. You can use a tool like Erunt to do that for you. See: http://www.majorgeeks.com/download1267.html
     
    chaslang, Jun 19, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This line is also suspicious:
    C:\WINDOWS\system32\javajl.exe

    This application was running during the time you made your last post. I do not know what it is but I would suspect it. It was in your first log along with another one beginning with a j.
     
    chaslang, Jun 19, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 19, 2004
    #12
  13. Legaeveth

    Legaeveth Private E-2

    I ran the CWS shredder along with coolwww and it didn't find anything.

    Before I go and do anthing in my system32 files I want to make sure I get this right I was looking at the list provided by you in this link

    http://www.liutilities.com/products...processlibrary Now as i was going through the list one thing showed up which was the alg.exe now just as an example since it's on the list do i need to delete it? I didn't want to jump ahead of myself and hit delete and find out I really screwed myself.

    Thanks
     
    Legaeveth, Jun 19, 2004
    #13
  14. Legaeveth

    Legaeveth Private E-2

    Something doesn't feel right when i ran the CWshredder this is the log it gave me...
    This doesn't seem like it actually did anything from the looks of it, it found absolutely nothing.


    CWShredder v1.59.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    Windows XP (5.01.2600 SP1)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Robert\Application Data
    Username: Robert
    Hosts file not present
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
    Found Win.ini file: C:\WINDOWS\win.ini (647 bytes, A)
    Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)
    - END OF REPORT -
     
    Legaeveth, Jun 19, 2004
    #14
  15. Legaeveth

    Legaeveth Private E-2

    For the CoolWWW i hit download it gives me a zipped file named delcwssk.zip I right click on it and hit extract all which then it brings me to a icon called

    miniremoval_coolwebsearch_smartkiller.exe i hit this and it comes up with a small window

    saying Miniremoval.Copyright (c) 2004 Safer Networking limited
    CoolWWWSearch.Smartkiller (v1/v2) has not been found on your system.


    How do i get around this and what am i doing wrong?
     
    Legaeveth, Jun 19, 2004
    #15
  16. Legaeveth

    Legaeveth Private E-2

    If i format my hard drive will it fix this problem? This stuff seems way over my head and I'm not up to destroying my computer because I deleted the wrong file when I wasn't supposed to. I'm to the point of shipping it off to someone to fix it at this point.

    I do realise that IE is flawed beyond belief and I'll never use it again once this problem is fixed.
     
    Legaeveth, Jun 19, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's okay if CWShredder did not find anything. It does not hurt to check.

    As far as alg.exe is concerned, you are reading the list wrong. That is a Windows System Process file that you need to have. What you want to do is find things that are on your computer that you do not see in the Windows Process list and question what they are. Also another good thing to do is have Windows Explorer sort the list of files by Date Modified so you can find things the recently have been added or changed. This could help. By the way this Only the Best problem also has been seen to put files in c:\windows and c:\windows\system as well as c:\windows\system32.
     
    chaslang, Jun 19, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You ran Scan Only. You did not run Fix. But since the scan found nothing you do not have to fix anything.
     
    chaslang, Jun 19, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did nothing wrong! It is telling you that it did not find the variant of CoolWWWS that it looks for. Again this is good. I thought I saw some files that could potentially indicate you had a problem. But running SmartKiller and CWShredder both showed nothing. So for the vintages that they detect your clean. Obviously, you have new strain of problem (the Only the Best strain). No one has a one click fix for this yet, although some are working on it.
     
    chaslang, Jun 19, 2004
    #19
  20. Legaeveth

    Legaeveth Private E-2

    ok i went through and deleted some files some things i noticed were some wildtangent files which didn't sound right so off they wen't. after doing this I reran AdAware they had a new d/l I found just this morning since yesterday. Anyways I ran it, it found 17 new items some of which were the files you talked about the winor32 file for instance. It then asked me it couldn't fix it completely till after i rebooted. Before I rebooted i went to IE and entered in a new homepage. I did CNN to make it simple anyhow after doing this and after the reboot. CNN homepage showed up I rebooted again and it was still showing up. I don't know if I fixed it cause that annoying page isn't showing up when i launch IE.

    The "use current" tab on IE under where you enter a homepage isn't lighting up. is it supposed to? I rarely change my homepage only did it once and i can't recall if that tab ever lit up?

    Thanks once again
     
    Legaeveth, Jun 19, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, formatting would fix it, but the problem is not so much with IE as it is with the protection that you add to your computer. You need to keep yourself save by having:

    1) a virus scan/protection program that is kept current
    2) a firewall
    3) a spyware/adware blocker
    4) keep your PC current with all Microsoft updates/security patches

    You also have to be careful where you go and what you click yes to. Any browser (not just IE) can get a problem like this attached to it.

    You will learn more by trying to fix this rather than formatting. As I said at the start, there is now easy fix for this yet. It will take so work. Formatting you drive is the easy way out but you will have to install all your applications all over again and fine tune all your settings back to how you had them. Also, you will loose all of your own data unless backed up. You also stand a chance of just getting this problem or others right back unless you have the proper protections in place.

    One other thing, you can always work on fixing your system and if you mess it up, use format and start over as the alternative.

    If you really are ready to just format why not just try seeing if you can use system restore to return your system to a point in time before the problem occurred. Read this: http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
     
    chaslang, Jun 19, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This sounds promissing. Yeah I forgot to mention that Ad-aware updated yesterday and today. Always check for updates on any of these tools before running. I'm not sure what's going on with the Use Current button this could be a spyware program blocking it. They may have changed something in your registry. How about posting an new HijaakThis log. Don't forget to shut everthing down before running HijaakThis.
     
    chaslang, Jun 19, 2004
    #22
  23. Legaeveth

    Legaeveth Private E-2

    New HJT file you just asked for....

    Logfile of HijackThis v1.97.7
    Scan saved at 11:20:43 AM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AIM95\aim.exe
    C:\My Downloads\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    O2 - BHO: (no name) - {23F257E0-B066-AEB7-2685-85F0FCB6FA44} - C:\WINDOWS\system32\winor32.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlins.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.1112152778
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
     
    Legaeveth, Jun 19, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have HijaakThis fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lityw.dll/sp.html#96676
    O2 - BHO: (no name) - {23F257E0-B066-AEB7-2685-85F0FCB6FA44} - C:\WINDOWS\system32\winor32.dll (file missing)

    And consider fixing these (looks like you are game player so its up to you):
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_42.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
     
    chaslang, Jun 19, 2004
    #24
  25. Legaeveth

    Legaeveth Private E-2

    OK, I deleted everything you suggested in the last post. I then rebooted and reran HJT and none of the files came back. Am I to believe this God aweful problem is fixed? CNN is still coming up as the homepage.

    *crosses fingers*
     
    Legaeveth, Jun 19, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's very COOOOL! Hope it stays thay way! :D Come back into this thread and let me know in a couple days one way or another how its working.
     
    chaslang, Jun 19, 2004
    #26
  27. Legaeveth

    Legaeveth Private E-2

    I sure will, once again thank you for all the assistance. You've been a great help and thank you for all the quick replies.
     
    Legaeveth, Jun 19, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome! Happy/Smooth surfing! ;)
     
    chaslang, Jun 19, 2004
    #28

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds