|
| ||
| Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html I have never posted to receive help before, but I need help more than ever now. I have some sort of program that is infecting my computer. It has replaced my old wallpaper on my desktop with some cryptic message that portrays itself as a warning. When I get on IExplorer the home page is a blue page that reads a similar warning. the address is as follows: C:\WINDOWS\secure.html. Also there are some links that possibly lead to e-shredder.com at the bottom though I have not dared to click on them. If anyone can help me with my dilemna, I would appreciate it. Please let me know what information you need and i will gladly provide it. Thank you in advance. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Download & instal Spybot S&D from here. Update it before scanning. After the scan is complete, have spybot fix everything marked RED. On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop. Download & instal Adaware from here & update it before scanning. In settings under 'scanning,' have it set to 'scan within archives,' 'scan active processes,' 'scan registry,' 'deepscan registry' 'scan my IE Favourites for banned URL's,' 'scan my host's file.' In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.' Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.' Click here for instructions on how to boot into safe mode. Boot up in safe mode. Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries. Reboot your computer in normal mode. Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive). If you have anything disabled in MsConfig, please re-enable it/them. Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Thanks for the direction. I had downloaded, updated, and tried Spybot prior to posting my original message. It did locate and fix the majority of the spyware located on my computer, but there are 2 problems it could not fix. Problem 1. "DSO Exploit." I clicked on it and attempted to fix it. Spybot notified me that the problem files had been deleted, but when I ran spybot again, the DSO Exploit was still there. Problem 2. "IE Plugin" Spybot said it was unable to remove this problem and asked if Spybot could run again after I reboot. I marked yes and rebooted, but again Spybot was unable to remove the IE Plugin problem. The IE plugin has one entry and the entry reads as follows: "Executable C:\WINDOWS\winserv.exe" The text of the entry is preceded by a warning sign. I have downloaded and run hijackthis. Here is the log that it produced: ----------------------------------------------------------------------------------- Logfile of HijackThis v1.98.2 Scan saved at 10:34:54 AM, on 9/5/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\DELLMMKB.EXE C:\Program Files\support.com\bin\tgcmd.exe C:\Program Files\Winad Client\Winad.exe C:\WINDOWS\System32\windllsys32.exe C:\Documents and Settings\Nicolas\Application Data\ttuh.exe C:\WINDOWS\System32\jaee.exe C:\WINDOWS\Nhksrv.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Winad Client\WinClt.exe C:\WINDOWS\system32\scagent.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Documents and Settings\Nicolas\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll O2 - BHO: (no name) - {623BDBE8-51A2-4566-A391-291F48C958DF} - C:\WINDOWS\System32\dncag.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [SysA] C:\windows\system32\winwht32.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Nicolas\Application Data\ttuh.exe O4 - HKCU\..\Run: [Pfwi] C:\WINDOWS\System32\jaee.exe O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...dceabcca450006 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll O18 - Filter: text/plain - {6A420490-FBAD-42EB-9E57-4DE3F5B131D8} - C:\WINDOWS\System32\dncag.dll O21 - SSODL: System - {94826AB4-1115-4692-B6EC-26C6F5ECABFE} - C:\WINDOWS\system32\system32.dll ----------------------------------------------------------------------------------- I have used hijackthis once in the past and i was able to, under very strict guidelines, remove some problematic lines. I don't remember the log in the past being as long as this log, which may point to the stem of some of my current problems. I appreciate the response and thank you in advance for any future assistance you may provide. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html If you have all of your windows updates from Microsoft, ignore the DSO Exploit that Spybot S&D picks up...its a bug with Spybot. You can set it to ignore it if you want. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Quote:
|
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html I had missed so many of my updates that I couldn't get them all to download...if there is some way you can get to the page and order the Security Updates CD, you could do that. And it's very possible once you get the hijack fixed, that you could download them from the website...if that is the case, I would do that as soon as I got everything else fixed. Wish I knew more to tell you that would help. :) |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Then we can continue :). We do not want to lose any back-ups by running hijackthis from a temp folder. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. You can also do the following: Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot. To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates. Reboot after doing this & post another log please. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Thank you. Will try both of those things... |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Hey Mcam, You still have a problem getting rid of DSO Exploit? I have just been successful in getting rid of it. If you (or anyone else) is still having difficulties let me know I will share. |
| ||
| Re: Help needed for hijacker with homepage address location of C:\WINDOWS\secure.html Quote:
|
| All times are GMT -4. The time now is 5:11 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC