Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Explorer Hijacked[RESOLVED]


  • This topic is locked This topic is locked

#1
ScottPDX

ScottPDX

    New Member

  • Member
  • Pip
  • 5 posts
I've attempted to get rid of about blank several times. Need help.

Here is HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:52 PM, on 5/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpA956.tmp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Thanks,
Scott
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please do not post duplicate topics. I will close your other one now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINNT\system32\hpA956.tmp


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpA956.tmp


Close HijackThis.

Restart your computer.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.
  • 0

#3
ScottPDX

ScottPDX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the advice.

Here is the ActiveScan and HiJackThis Log.

Incident Status Location

Virus:Trj/Cloak.A Disinfected Operating system
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\stwsi
Adware:Adware/ExactSearch No disinfected Windows Registry
Spyware:Spyware/MarketScore No disinfected C:\WINNT\system32\osconfig.dll
Adware:Adware/Popuper No disinfected C:\Online Pharmacy.url
Adware:Adware/Virmaid No disinfected C:\WINNT\system32\perfcii.ini
Virus:Trj/Clicker.FW Disinfected C:\!Submit\msole32.exe
Spyware:Spyware/Petro-Line No disinfected C:\Download\ppcsaver\backups\backup-20050308-160249-285.inf
Adware:Adware Program No disinfected C:\Download\ppcsaver\backups\backup-20050308-160251-744.inf
Adware:Adware/Startpage.YH No disinfected C:\HJT\backups\backup-20050528-184802-809.dll
Adware:Adware/Startpage.YH No disinfected C:\HJT\backups\backup-20050528-191219-429.dll
Adware:Adware/Startpage.YH No disinfected C:\HJT\backups\backup-20050528-194752-786.dll
Adware:Adware/Popuper No disinfected C:\Online Pharmacy.url
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/New.net No disinfected C:\Program Files\Support.com\backup\ne\newdotnet5_20.dll\208896_5263cd80b_[newdotnet5_20.dll]
Spyware:Spyware/New.net No disinfected C:\Program Files\Support.com\backup\ne\newdotnet5_48.dll\221184_54a64af32_[newdotnet5_48.dll]
Adware:Adware/SAHAgent No disinfected C:\WINNT\inf\bi6.inf
Virus:Trj/Dropper.IM Disinfected C:\WINNT\system32\LogFiles\A5281300.so
Possible Virus. No disinfected C:\WINNT\system32\LogFiles\T54241630.so
Virus:Trj/Cloak.A Disinfected C:\WINNT\system32\oleadm.dll
Spyware:Spyware/MarketScore No disinfected C:\WINNT\system32\osconfig.dll
Adware:Adware/Virmaid No disinfected C:\WINNT\system32\perfcii.ini
Adware:Adware/TopSpyware No disinfected C:\WINNT\system32\winnook.exe

Logfile of HijackThis v1.99.1
Scan saved at 1:39:42 PM, on 5/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\CWShredder\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe



Scott
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Scott, for the log you just posted here, was it ran in Safe Mode or Normal Mode? Make sure you are giving me the log in Normal Mode if it's not.

OK, I want you to delete these:

C:\Program Files\MySearch
C:\WINNT\stwsi
C:\!Submit\msole32.exe
C:\Download\ppcsaver\backups\backup-20050308-160249-285.inf
C:\Download\ppcsaver\backups\backup-20050308-160251-744.inf
C:\HJT\backups\backup-20050528-184802-809.dll
C:\HJT\backups\backup-20050528-191219-429.dll
C:\HJT\backups\backup-20050528-194752-786.dll
C:\Online Pharmacy.url
C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
C:\Program Files\Support.com\backup\ne\newdotnet5_20.dll\
C:\WINNT\inf\bi6.inf
C:\WINNT\system32\LogFiles\
C:\WINNT\system32\oleadm.dll
C:\WINNT\system32\osconfig.dll
C:\WINNT\system32\perfcii.ini
C:\WINNT\system32\winnook.exe


Update Ad-aware and Spybot and run their scans. Fix whatever those two programs find.

If your HijackThis was ran in Safe Mode, please repost a new log. Otherwise:

Your log is clean.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
ScottPDX

ScottPDX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Greynight17,

Log was posted in regular mode. I will go back through these files first thing tomorrow AM and repost. Thanks for the help.

Scott
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. You should be ok then if it's posted in Normal Mode.

You may reply back on how the computer is running. If everything is ok, I will close this topic.
  • 0

#7
ScottPDX

ScottPDX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Greynight17,

Reran the Ad-aware and Spybot, found a few 'negligible' files and killed them. Previous HijackThis was run in normal mode. I will definitely be more diligent in the future.

This is a great site, keep up the good work.

Thanks much for your help,

Scott
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP