Release from hijack needed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sunrise, Jan 22, 2005.

  1. sunrise

    sunrise Private E-2

    My IE homepage is being hijacked by a "Search for..." page. I have tried the advice in the Do this first Sticky but it's still there. Trend Micro gave an uncleanable TROJ STARTPGE.CL readout. Any help would be appreciated. Thanks.
     
  2. Quinndrew5

    Quinndrew5 Corporal

    Post a hijack this log
    1. make sure you have version
    2. Save the log as a .txt
    3. Post as an attachment
     
  3. sunrise

    sunrise Private E-2

    Here is the HJT log. Hope you find something.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not cut any lines out of your HJT logs. You cut the line with the HJT version on it. We need to know what version you use.

    Also it looks like you are using to antivirus applications, AVG and AntiVir. You must only use one. Pick one and uninstall the other.

    Since Quinndrew5 is not around I will look at your log now!
     
  5. sunrise

    sunrise Private E-2

    Thanks. I've removed AntiVir. Here is the complete HJT log file.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Make sure you have also downloaded (as per the READ ME FIRST) and have ready to use, CWShredder! Do not run yet.

    Download the follow two programs:
    - Win98Fix.zip from http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
    - StartDreck from http://www.niksoft.at/download/startdreck.htm

    Extract the Win98Fix.zip file contents into a folder named c:\win98fix (do not run yet)
    Extract the Startdreck.zip file contents into a folder named c:\startdreck
    1. Run startdreck.exe.
    2. Now we need to set some options: click on the Config button and then select the unmark all button
    3. Then put checkmarks in the following checkboxes: Under the Registry heading select the Run Keys checkbox.

      Under the System/Drivers heading select the Running Proccess checkbox.
    4. Make sure the save account info to log is check on the lower right and then click the OK button.
    5. Now your are back at the startup window for Startdreck. Look in the info you see in that window for the >>RunServicesOnce section. Now we are looking under RunServicesOnce for an entry that displays a DLL file in the c:\windows\system folder followed by a StreamingDeviceSetup. Here is an example (only an example your will probably have a different DLL filename):

      »RunServicesOnce
      **t=rundll32 C:\WINDOWS\SYSTEM\XYZ.DLL,StreamingDeviceSetup

      Note the XYZ.DLL could be anything. If you do not see this DLL just This is just an example. If this file does not exist skip to step 8 with CWShredder. If you do find this dll file write down the fullpath like C:\WINDOWS\SYSTEM\XYZ.DLL and save it.
    6. Now using Windows Explorer go to the c:\win98fix folder and double-click on the RunFix.reg file. When prompted about merging the information into your registry, click the Yes button.
    7. Now immediately reboot your computer in safe mode and then run Windows Explorer and look for the DLL file (C:\WINDOWS\SYSTEM\XYZ.DLL) from step 5 above and right click on it and then select Delete. Be sure to let me know if it will not delete or you cannot find it.
    8. Now make sure no browser windows (including this one) are open and run CWShredder and make sure you select the Fix button. Note whether it finds anything and when it finishes exit.
    9. Now run Ad-Aware SE followed by Spybot S&D and allow them to fix anything they find.
    Now Run HijackThis and select the following lines (if they still exist) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {5954A881-5297-11D9-A614-000295FF41AC} - C:\WINDOWS\SYSTEM\GNHL.DLL
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O18 - Filter: text/html - {498DD8A5-6C95-11D9-A614-00026172E9FC} - C:\WINDOWS\SYSTEM\GNHL.DLL
    O18 - Filter: text/plain - {498DD8A5-6C95-11D9-A614-00026172E9FC} - C:\WINDOWS\SYSTEM\GNHL.DLL

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete if found (we may have already deleted it):
    C:\WINDOWS\SYSTEM\GNHL.DLL

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  7. sunrise

    sunrise Private E-2

    You are a genius! The hijacker seems to be gone. I'll browse some more but so far no trouble. Thanks for your speedy and concise reply to my problem. It's a great job you are doing here. I've attached the latest HJT log. Thanks again from the UK. :)
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! You look clean now! You should check the below out to help avoid future problems:
    How to Protect yourself from malware!

    By the way, was this present:
    »RunServicesOnce
    **t=rundll32 C:\WINDOWS\SYSTEM\XYZ.DLL,StreamingDeviceSetup
     
  9. sunrise

    sunrise Private E-2

    No the RunServicesOnce file didn't appear. I may have spoken too soon. All seemed well last night but this morning the internet is really slow. It takes forever for pages to load, if they do at all. It took ages and many tries just to send this message. I'll try to free up some memory to see if that helps.
     
  10. sunrise

    sunrise Private E-2

    I had a problem with my broadband connection. All fixed now and running OK. Thanks for all your help. :)
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds