Jump to content


Photo

Browser Hijack - Tried Everything!!


  • This topic is locked This topic is locked
7 replies to this topic

#1 Crezner

Crezner

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 July 2004 - 10:49 AM

I've tried Spybot S & D, AD Aware, Cool Web Site Shredder, Buster and manual deletion of registry entries. CSW and Buster both correct my problem - until I turn off my computer and turn it on again.

The home page is changed to "about blank" and I get a serach engine that's not identified by name. BH Deomon says it's Cool Web Site but the shredder does not correct the problem longer than one session. Like I said, I turn the compter off and when I turn back on I'm back to the same start up page.

Here's the logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:53:26 AM, on 07/15/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.234.135.249:6588
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {6E1A2102-D655-11D8-982D-000214DF5FC9} - C:\WINDOWS\SYSTEM\ohmn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab

No matter what I do, my start up page gets reset to about blank and this frigging search page everytime I turn my computer back on.

Thanks for your help!

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 15 July 2004 - 04:03 PM

Download StartDreck from here. Unzip to its own folder and start the program:

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.
Posted Image

#3 Crezner

Crezner

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 08:39 AM

Download StartDreck from here. Unzip to its own folder and start the program:

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.

Here it is:



StartDreck (build 2.1.5 public BETA) - 2004-07-16 @ 09:46:30
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
*ATI Launchpad=
舞unOnce
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
*EnsoniqMixer=starter.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
舞unServicesOnce
**jl=rundll32 C:\WINDOWS\SYSTEM\LOGGJ.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F81B5=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFC1D5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFCC45=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE5AB1=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
*FFFE9AB1=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
*FFFEE499=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFD2D5D=C:\WINDOWS\RUNDLL32.EXE
*FFFC4B01=C:\WINDOWS\EXPLORER.EXE
*FFFB4DDD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB4E15=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
*FFFBE381=C:\WINDOWS\STARTER.EXE
*FFFBC285=C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
*FFFA778D=C:\PROGRAM FILES\PALM\HOTSYNC.EXE
*FFF921C9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFDE481=C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
*FFF832C5=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 July 2004 - 11:57 AM

Download Win98Fix.zip from here.

Unzip to its own folder. Open Folder and double click on RunFix.reg file. Hit 'Yes' to merge it into your registry. Restart your computer. The bad file should now be visible so you can delete it.

Browse to c:\windows\system\LOGGJ.DLL then delete it.

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#5 Crezner

Crezner

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 02:07 PM

Download Win98Fix.zip from here.

Unzip to its own folder. Open Folder and double click on RunFix.reg file. Hit 'Yes' to merge it into your registry. Restart your computer. The bad file should now be visible so you can delete it.

Browse to c:\windows\system\LOGGJ.DLL then delete it.

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.

Here it is.






Logfile of HijackThis v1.97.7
Scan saved at 3:13:12 PM, on 07/16/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.234.135.249:6588
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 July 2004 - 02:12 PM

Looks OK now - how is it running?

(I assume you recognise the proxy server setting?)
Posted Image

#7 Crezner

Crezner

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 08:40 PM

Looks OK now - how is it running?

(I assume you recognise the proxy server setting?)

It seems ok. When I deleted the file LOGGJ.DLL I could tell something good happened.

I'll find out more on Monday. I've gotten rid of the hijack before only to have it pop back on hours later.

I can tell you that I've wasted hours trying to figure this out. I learned a lot but really got frusterated not being able to fix this. You're my new hero. How did you learn this stuff?

I'd love help out if a regular computer user can learn this stuff. I'm so pissed at the people that produce this scumware and I'm interested in learning more. I've helped friends using CSW shredder and some of the other utilities, but these hidden files are way beyond me.

Any ideas where I could learn enough to help out?

Thanks again. I'll report back to this thread if things don't work out.

PS Yes, that's my proxy server setting.

THANKS AGAIN....I'M IMPRESSED BY YOUR SKILLS!

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 04:46 AM

You're welcome - glad to help :D It won't come back.

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?


If you want to help out, have a look at the training schemes here:

http://forums.spywar...w=findpost&p=95




As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button