Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack


  • This topic is locked This topic is locked
3 replies to this topic

#1 Rizon

Rizon

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 04 July 2004 - 06:12 PM

A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about :blank, it still shows the search page. I get bombarded with ad popups if I'm not using a blocker.

I've tried the following (all updated versions of each):

1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.
2) Ran Adaware, Spybot, NoAdware: All found nothing
3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.
4) Re-ran Spyware Blaster. Nothing.
5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.
6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.
7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.
8) Ran CWS Shredder. Nothing.
9) Stopped using IE, which I should have done awhile ago

Anyways, here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 10:07:34 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,535 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 04 July 2004 - 07:08 PM

Fix this with hijackthis:

O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL

Then do the following:

Download the program FindNFix from the following location:
http://freeatlast100.100free.com/FINDnFIX.exe

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#3 Rizon

Rizon
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 04 July 2004 - 08:51 PM

Thanks for your help Grinler.

In the time after my post, I pretty much guessed that PHKNA.dll was the offending file (no hits in Google). I was instructed to DL BHOdemon2.0. Ran that, and now the offending BHO is gone from the HijackThis log. Also the browser hijack appears to be gone.

Running FindnFix anyways ... I got errors on keys1\winkey.reg and hkey_local (cannot import). Log ran anyways. Notepad wouldn't open, as I found out it was changed to Notepad.exe.bak. Changed it back to Notepad.exe and re-ran (with same errors):


1st run
»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

»»»»» (*2*) »»»»»........
**File C:\WINDOWS\DESKTOP\UTILIT~1\%SYSTE~1\FINDNFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»»»(***5***)»»»»»



2nd run
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

»»Dumping Values........

»»Security settings for 'Windows' key:

»»Member of...: (Admin logon required!)

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

»»Notepad check....

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)

»»»»»»Backups created...»»»»»»

Invalid date
Enter new date (mm-dd-yy):

Edited by Rizon, 04 July 2004 - 08:52 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,535 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 04 July 2004 - 11:27 PM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Make sure the version of cwshredder is 1.59.1

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users