Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broser Hijacked by home search


  • This topic is locked This topic is locked
3 replies to this topic

#1 optimist

optimist

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 15 October 2004 - 02:31 AM

Hi,
I am having a very serious problem with my internet explorer,so am posting this problem to get solution from you.My operating system is windows 2000 server and internet explorer 6 is installed in it.It is file server in office and and also mail server mdaemon is installed in it.So I am very scared to do any kind of spyware search in it.But eventhough I used Lavasoft adware,spyware remover,spyware doctor.spykiller etc to remove those spyware and recover my default page but all did't succeed.Now I am having new problem and that is whenever I try to run winisis program which used to run very smoothly before browser was being hijacked,it used shows error message "couldnot load shell.dll" file initially but now it shows "c:\winnt\system32\autoexec.nt.the system is not suitable for running ms-dos and microsoft windows applications".Also when I open the file with notepad it is opened for sometime and notepad suddenly disappears and I have to open notepad again to open that file.So to solve this problem when I scan my computer with hijack this it shows some sort of wetsites addresses and even I removed those entries my brower page is recoverd sometime but when I open internet explorer for more than 2 or 3 times again the same hacking browser page comes.Also popup name :only the best" use to come frequently.So I request you to please give me proper solution by which I can solve this problem.Also I have entered the hijack this log file with this post which is as follows:-

Logfile of HijackThis v1.98.0
Scan saved at 12:25:57 PM, on 10/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\MDaemon\APP\MDAEMON.EXE
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\sdkdj.exe
C:\MDaemon\APP\cfengine.exe
C:\WINNT\PSADMIN.INI:ibosf
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\MDaemon\WorldClient\WorldClient.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bbqbo.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9F1C13DA-0A95-1E5B-F325-9B1F52DA817F} - C:\WINNT\system32\crfo32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sdkdj.exe] C:\WINNT\system32\sdkdj.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8ab2292e6aa4d79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winrock.org.np
O17 - HKLM\System\CCS\Services\Tcpip\..\{49C6C2EF-B1C6-41BE-A3CA-D9932FF20C17}: NameServer = 202.52.255.3 202.52.255.47
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D40C217-7452-447A-A8CA-0D613214B0D7}: NameServer = 202.52.255.47,202.52.255.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{771E443F-B771-4AEA-AEA2-57BF48BFC40C}: NameServer = 202.52.255.47,202.52.255.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winrock.org.np
O17 - HKLM\System\CS1\Services\Tcpip\..\{49C6C2EF-B1C6-41BE-A3CA-D9932FF20C17}: NameServer = 202.52.255.3 202.52.255.47
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winrock.org.np

Looking forward for the best solution from you

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:44 PM

Posted 15 October 2004 - 07:15 AM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#3 optimist

optimist
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 17 October 2004 - 11:41 PM

Hello,
Thanks for your reply.As you have replied in your previous post I have included new hijack this log file by downloading from defined location by you.The log entry is :-

Logfile of HijackThis v1.98.2
Scan saved at 10:17:04 AM, on 10/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\MDaemon\APP\MDAEMON.EXE
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\PSADMIN.INI:ibosf
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\svchost.exe
C:\MDaemon\APP\cfengine.exe
C:\MDaemon\WorldClient\WorldClient.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SAV\vptray.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\sdkdj.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wamld.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wamld.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D2B54343-1C4F-F773-4A2E-9AB9CDC4EC0A} - C:\WINNT\atlhe32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [sdkdj.exe] C:\WINNT\system32\sdkdj.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8ab2292e6aa4d79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = winrock.org.np
O17 - HKLM\System\CCS\Services\Tcpip\..\{49C6C2EF-B1C6-41BE-A3CA-D9932FF20C17}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D40C217-7452-447A-A8CA-0D613214B0D7}: NameServer = 202.52.255.47,202.52.255.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{771E443F-B771-4AEA-AEA2-57BF48BFC40C}: NameServer = 202.52.255.47,202.52.255.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = winrock.org.np
O17 - HKLM\System\CS1\Services\Tcpip\..\{49C6C2EF-B1C6-41BE-A3CA-D9932FF20C17}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = winrock.org.np

Thanks for your help.

#4 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:02:44 PM

Posted 18 October 2004 - 12:31 AM

optimist, welcome.

Please print this out and follow ALL these directions carefully.

This is a new CoolWebSearch (CWS) hijack infection and is hard to remove.

Note: Every time you reboot the files multiply and change names. This process is like exterminating cockroaches.

Please download the tool called about:buster from
http://www.downloads.subratam.org/AboutBuster.zip
or
http://www.majorgeeks.com/download4289.html

Unzip it to your desktop.

In WinME/XP turn off System Restore.
http://www.arnoldco.com/help/html/disable_restore.html

Then reboot into Safe Mode by tapping F8 key repeatedly during bootup.
Enable System Restore after the infection is removed.

Double click aboutbuster.exe, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.

Move HijackThis.exe into this folder as you do not want the HijackThis backup logs all over your Desktop.

When you run HijackThis from C:\HJT folder by double clicking on it and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Now start Hijack this and tick the boxes next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wamld.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wamld.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wamld.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D2B54343-1C4F-F773-4A2E-9AB9CDC4EC0A} - C:\WINNT\atlhe32.dll
O4 - HKLM\..\Run: [sdkdj.exe] C:\WINNT\system32\sdkdj.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8ab2292e6aa4d79


Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.

Additional information:
http://www.silentrunners.org/sr_cwsremoval.html

Post a new log here to insure the infection is gone.

Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the Administrator User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users