Jump to content


Photo

Browser hijacking


  • Please log in to reply
1 reply to this topic

#1 jank20

jank20

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 07:41 PM

Hi !
I am trying to remove some browser hijacking software from my computer
but without any success.
When I open internet explorer the following web page appears every time :
res://lckit.dll/index.html#96676
I have try several spam removing programs including "HijackThis".
When I do scan with HijackThis I can see the files ( R1 and R0 )that are causing this problem and I have tried several times to delete them but for some reason I can not.
Please Help me !
Here is is the log file from HijackThis :

Logfile of HijackThis v1.97.7
Scan saved at 5:19:31 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mfctg.exe
C:\WINDOWS\system32\ntrz32.exe
C:\Documents and Settings\Jan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lckit.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lckit.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lckit.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lckit.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lckit.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lckit.dll/sp.html#96676
O2 - BHO: (no name) - {D7347CE7-1EE8-8788-B631-57750CDD6BCB} - C:\WINDOWS\system32\ietv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntrz32.exe] C:\WINDOWS\system32\ntrz32.exe
O4 - HKLM\..\RunOnce: [sysjd.exe] C:\WINDOWS\system32\sysjd.exe
O4 - HKLM\..\RunOnce: [crwu32.exe] C:\WINDOWS\crwu32.exe
O4 - HKLM\..\RunOnce: [wincj32.exe] C:\WINDOWS\system32\wincj32.exe
O4 - HKLM\..\RunOnce: [d3np32.exe] C:\WINDOWS\system32\d3np32.exe
O4 - HKLM\..\RunOnce: [mslx.exe] C:\WINDOWS\mslx.exe
O4 - HKLM\..\RunOnce: [javadn.exe] C:\WINDOWS\system32\javadn.exe
O4 - HKLM\..\RunOnce: [sysvk32.exe] C:\WINDOWS\sysvk32.exe
O4 - HKLM\..\RunOnce: [atlim32.exe] C:\WINDOWS\system32\atlim32.exe
O4 - HKLM\..\RunOnce: [ntum.exe] C:\WINDOWS\ntum.exe
O4 - HKLM\..\RunOnce: [mfctg.exe] C:\WINDOWS\mfctg.exe
O4 - HKLM\..\RunOnce: [ieyo32.exe] C:\WINDOWS\ieyo32.exe
O4 - HKLM\..\RunOnce: [ieyq.exe] C:\WINDOWS\ieyq.exe
O4 - HKLM\..\RunOnce: [mfczl32.exe] C:\WINDOWS\mfczl32.exe
O4 - HKLM\..\RunOnce: [javaif32.exe] C:\WINDOWS\system32\javaif32.exe
O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
O4 - HKLM\..\RunOnce: [addmn.exe] C:\WINDOWS\addmn.exe
O4 - HKLM\..\RunOnce: [netan32.exe] C:\WINDOWS\system32\netan32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8178.4307060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

is the log file from HijackThis :

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 14 July 2004 - 07:40 PM

Hello jank20,

Sorry for the delay, If you still have your concern, lets try this.

Please put HJT in a Permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.
______

Next, download About:Buster and unzip it to your desktop, but don't run it yet.
______

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it, but don't run it yet, just set it up this way:

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
___________

Make sure your PC is configured to show hidden files:

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
___________

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows
___________

Now, reboot to Safe Mode (tap F8 while restarting).


Then open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {D7347CE7-1EE8-8788-B631-57750CDD6BCB} - C:\WINDOWS\system32\ietv.dll

O4 - HKLM\..\Run: [ntrz32.exe] C:\WINDOWS\system32\ntrz32.exe

O4 - HKLM\..\RunOnce: [sysjd.exe] C:\WINDOWS\system32\sysjd.exe
O4 - HKLM\..\RunOnce: [crwu32.exe] C:\WINDOWS\crwu32.exe
O4 - HKLM\..\RunOnce: [wincj32.exe] C:\WINDOWS\system32\wincj32.exe
O4 - HKLM\..\RunOnce: [d3np32.exe] C:\WINDOWS\system32\d3np32.exe
O4 - HKLM\..\RunOnce: [mslx.exe] C:\WINDOWS\mslx.exe
O4 - HKLM\..\RunOnce: [javadn.exe] C:\WINDOWS\system32\javadn.exe
O4 - HKLM\..\RunOnce: [sysvk32.exe] C:\WINDOWS\sysvk32.exe
O4 - HKLM\..\RunOnce: [atlim32.exe] C:\WINDOWS\system32\atlim32.exe
O4 - HKLM\..\RunOnce: [ntum.exe] C:\WINDOWS\ntum.exe
O4 - HKLM\..\RunOnce: [mfctg.exe] C:\WINDOWS\mfctg.exe
O4 - HKLM\..\RunOnce: [ieyo32.exe] C:\WINDOWS\ieyo32.exe
O4 - HKLM\..\RunOnce: [ieyq.exe] C:\WINDOWS\ieyq.exe
O4 - HKLM\..\RunOnce: [mfczl32.exe] C:\WINDOWS\mfczl32.exe
O4 - HKLM\..\RunOnce: [javaif32.exe] C:\WINDOWS\system32\javaif32.exe
O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
O4 - HKLM\..\RunOnce: [addmn.exe] C:\WINDOWS\addmn.exe
O4 - HKLM\..\RunOnce: [netan32.exe] C:\WINDOWS\system32\netan32.exe



Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

- - - - - - - -

Then, while still in safe mode, run About:Buster.
Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)
Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

- - - - - - - -

Now run Ad-aware, while still in safe mode.

_________

Then, reboot normally and take a free on-line scan at HouseCall


After you do the above, please post a new HJT log, and your About Buster log.
A newer version of HJT is out, you can get it here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button