Jump to content


Photo

hijacked to isgaw.dll


  • Please log in to reply
1 reply to this topic

#1 peakin

peakin

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 08:24 PM

My Internet Explorer default homepage is hijacked to the following search webpage:

res://isgaw.dll/index.html#10213.

Adware pop-ups also start immediately after the offending search webpage installs. I have had this problem for over a month. At an earlier date a search toolbar was also added but this no longer happens. I found your website in seeking to rectify the situation and read the FAQ.

I downloaded and ran Spybot and Ad-aware with the latest updates. Spybot had no impact. The download version of Adaware found additional files to Spybot, but removing them also had no impact on the problem. When I downloaded the 7 July 2004 Ad-aware reference file and put it in the Ad-aware directory and reran Ad-aware it found 12 additional files, a couple containing the isgaw.dll marker. Once the 12 files were deleted the problem was fixed – until I next reopened Internet Explorer. At that point the same problems recurred. I deleted the files again, rebooted the PC, and reran Ad-aware. There were no malware files found. The first time I opened Internet Explorer the default website reverted to MSN.com, the original default. That was a good sign I thought. I then closed Internet Explorer and opened it again. This time the old problems recurred. On running Ad-aware again it found most of the malware files previously deleted – 8 on one occasion, 10 on another, although the two isgaw-marked files were present on both occasions.

The 10 offending files apparently unique to my problem as determined by Ad-aware are:

Object
\windows\system32\apigt.exe
\windows\system32\sysfq.exe
\documents and settings\phil\cookies\phil@atdmt[1].txt
\documents and settings\phil\cookies\phil@cgi-bin[1].txt
\documents and settings\phil\cookies\phil@doubleclick[1].txt
\Software\Microsoft\Internet Explorer\Main"Start Page" ("res://isgaw.dll/index.html#10213")
\Software\Microsoft\Internet Explorer\Main"Default_Page_URL"
("res://isgaw.dll/index.html#10213")
\Microsoft\Windows\CurrentVersion\Uninstall\HSA\
\Microsoft\Windows\CurrentVersion\Uninstall\SE\
\Microsoft\Windows\CurrentVersion\Uninstall\SW\

The common vendor was CoolWeb. I significantly abbreviated the verbiage in this list hoping to avoid a rule infringement.

The HijackThis log is below:

Logfile of HijackThis v1.97.7
Scan saved at 10:32:24 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Windows\system32\apigt.exe
C:\Windows\system32\sysfq.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...PT/0409/bF8.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\isgaw.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://isgaw.dll/index.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://isgaw.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\isgaw.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://isgaw.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\isgaw.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AC68E9F9-CEC1-9AC6-4FA4-E4F9875AC41B} - C:\Windows\system32\mfcxx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [javate32.exe] C:\Windows\system32\javate32.exe
O4 - HKLM\..\Run: [sysfq.exe] C:\Windows\system32\sysfq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\Windows\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.9740972222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

A possibly associated problem is that almost every time I click or a new webpage loads I get a dialogue box attempting to install a patch to Microsoft Office Professional XP that prompts me to insert the relevant CD to continue the process. I never requested or knowingly downloaded such a patch and don’t desire to install it. How do I keep the install boxes from popping up? If you wish I can start a new string for this one.

Hope you can help. Thanks in advance.

#2 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 13 July 2004 - 05:14 PM

Hello peakin.

Thanks for being so patient

1. Download this tool called AboutBuster http://www.downloads...AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R332 12.07.2004 or higher listed.

3. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

4. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\isgaw.dll/sp.html#10213

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://isgaw.dll/index.html#10213

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://isgaw.dll/index.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\isgaw.dll/sp.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://isgaw.dll/index.html#10213

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\isgaw.dll/sp.html#10213

O2 - BHO: (no name) - {AC68E9F9-CEC1-9AC6-4FA4-E4F9875AC41B} - C:\Windows\system32\mfcxx.dll

O4 - HKLM\..\Run: [javate32.exe] C:\Windows\system32\javate32.exe

O4 - HKLM\..\Run: [sysfq.exe] C:\Windows\system32\sysfq.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\Windows\System32\toolbar.dll/SEARCH.HTML

and delete the following files if present.

C:\Windows\system32\apigt.exe

C:\Windows\system32\sysfq.exe

C:\Windows\isgaw.dll

C:\Windows\system32\mfcxx.dll

C:\Windows\system32\javate32.exe

C:\Windows\system32\sysfq.exe

C:\Windows\System32\toolbar.dll

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or word pad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. NOTE: Please check your hosts file. Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
........................................................
13. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

14. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Post a fresh HijackThis log and the AboutBuster report back here please.
Microsoft MVP Windows-Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button