Jump to content


Photo

Stuborn Hijack, Help Appreciated


  • Please log in to reply
1 reply to this topic

#1 apgwyn

apgwyn

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 09:14 AM

Have read Articles and FAQs and cannot resolve.

Browser locates unknown page on IE launch, titled 'Home Search'. Addressed as 'res://jrwef.dll/index.html#10213'. Launches online or when offline. Cannot find file of that name when search.

Ad-Aware 6 shows clean. Spybot shows 'DSO Exploit' 5 entries which return after fix. All Microsoft updates are downloaded. HT Log, att. shows 1 BHO entry 'apilz.dll' I cannot identify from list of known BHOs, which looks bad, but what do I know. HT Log also shows 3 HKLM entries I can't find in pacman list; 'pctspk.exe' and 'sbautoupdate.exe' look OK but 'ipzr32.exe' looks bad. Again, I'm not qualified to say. The R1 and R0 entries return after 'fixing' by HT.

IE Functionality seems unaffected except sometimes google searches are re-directed to a search the search engines thing. Otherwise only problem is on launch, but I don't like it evenso.

Also checked *.tmp files, several of which were 'read only' or 'access denied' so I left them alone, 'cause worried about ignorant deleting. Checked 1 harmless [*.hta] file and 57 [*.js] files which look OK but can't be sure. I've ran out of instructions I can find on the Net and don't want to do any deleting in HT without advice from experts. Not very technical and would appreciate any help.

Thanks apG

HT Log Attached
Logfile of HijackThis v1.97.7
Scan saved at 4:05:32 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\netfc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ipzr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HYJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jrwef.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jrwef.dll/index.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jrwef.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jrwef.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jrwef.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jrwef.dll/sp.html#10213
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {92FF6D65-A3E5-8CBB-8A78-0C0B4826792D} - C:\WINDOWS\apilz.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ipzr32.exe] C:\WINDOWS\ipzr32.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

#2 apgwyn

apgwyn

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 04:49 PM

Close topic.

Followed advise on other postings. thanks to all. Updated ad-aware helped most of problem and deletions of unrecognised keys by HT plus took advise from Galterie to delete all unknown same size dll files. This seems to have cured problem. Once again thanks for a great resource.

apG




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button