DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Hijacked browser - how to get rid of.... (http://www.daniweb.com/forums/thread4749.html)

Ron Wolpa Mar 17th, 2004 11:45 pm
Hijacked browser - how to get rid of....
 
I have had problems with changed start page by this annoying res://mshp.dll/index.html#10213 ;
Besides that every time I run Google.com a pop up ad comes up just after submiting any entry a new browser windows opens with this pesky search company :
(http://search-company.com/search.php...bird&pin=10213)

Despite I have employed Hijackthis to clear out the system , the d a m n thing goes on happening ;
can someone help me to get rid of the trouble ?


Hijackthis log after the clearing :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\MYVITALAGENT8\VITALAGENT\PROGRAM\VTLAGENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\ADMUNCHER\ADMUNCH.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\AHDW\AHD3.EXE
D:\!DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uol.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Multi Media Marketing
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://home.uol.com/
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - D:\IEDOCTOR\ADFLR.DLL
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\WINVX\WINVX.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\WINVX\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\WINVX\MSSEARCH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ACROBATREADER\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &IE Doctor Bar - {123249EB-F891-44C4-946F-450064F9080E} - D:\IEDOCTOR\IEDRBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: MyVitalAgent.lnk = C:\Arquivos de programas\myvitalagent8\VitalAgent\Program\VtlAgent.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - D:\Arquivos de programas\getright502\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Arquivos de programas\getright502\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ComVC (HKCU)
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O19 - User stylesheet: (file missing)

TallCool1 Mar 18th, 2004 12:10 am
Re: Hijacked browser - how to get rid of....
 
Quote:
Originally Posted by Ron Wolpa
Besides that every time I run Google.com a pop up ad comes up just after submiting any entry a new browser windows opens with this pesky search company :
(http://search-company.com/search.php...bird&pin=10213)

Despite I have employed Hijackthis to clear out the system , the d a m n thing goes on happening...
Your primary problem is a CoolWebSearch variant. First run CWShredder--download from here. Then re-scan and re-post.

Just so you know, this diagnosis is based on the following items from your log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uol.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Multi Media Marketing
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://home.uol.com/
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - D:\IEDOCTOR\ADFLR.DLL
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\WINVX\WINVX.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\WINVX\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\WINVX\MSSEARCH.DLL
O3 - Toolbar: &IE Doctor Bar - {123249EB-F891-44C4-946F-450064F9080E} - D:\IEDOCTOR\IEDRBAR.DLL

O19 - User stylesheet: (file missing)

all of which indicates a hijacker.

Ron Wolpa Mar 18th, 2004 1:07 am
Re: Hijacked browser - how to get rid of....
 
Hi Tall Cool1

1st of all thank you for your answer ;


I contacted search-for support which stated they distribute the pesky IeFeastSl , an adware that can be unistalled ; ok , I followed their advice and uninstalled that s...t from the sytem , but the search-for window opens up at every time I search an entry at Google ;
I run CwShredder and bellow you get the log (shall I hit Fix ?)


CWShredder v1.53.1 scan only report

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: rw

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
Infected data: C:\WINDOWS\system32\blank.html
Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2147 bytes, A)
Found CWS.Smartsearch.2 file: c:\y.exe (3072 bytes, A, running)
Found file: C:\WINDOWS\my.css (1252 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8595 bytes, A)
Found line in Win.ini: load=
Found System.ini file: C:\WINDOWS\system.ini (2091 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

TallCool1 Mar 18th, 2004 1:25 am
Re: Hijacked browser - how to get rid of....
 
Quote:
Originally Posted by Ron Wolpa
I run CwShredder and bellow you get the log (shall I hit Fix ?)
Yes. Then run HijackThis again as a cross-check, to see if anything is left.


All times are GMT -4. The time now is 4:28 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC