Jump to content


Photo

homepage hijack.....hijack this log, please help.


  • Please log in to reply
8 replies to this topic

#1 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 09:09 PM

I've been hijacked by CoolWebSearch (i think) and it keeps changing my homepage, searchpage, etc. I have no clue on what to do anymore because I have run Hijack this like a billion times, as with ad-aware, and spybot, and about:buster. These programs delete the problem, but it keeps coming back. But, I dont know how to look for hidden files so i can't delete it.

THANK YOU SO MUCH IN ADVANCE

hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 10:08:46 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\apphw.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\atlaj32.exe
C:\Program Files\aim\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\spyware programs\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pnzkw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pnzkw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pnzkw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pnzkw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pnzkw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pnzkw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Heather Crisco\Application Data\Mozilla\Profiles\default\zi0l0i3t.slt\prefs.js)
O2 - BHO: (no name) - {C6302F10-16C9-D3F6-3517-DD4CF6ED9FE1} - C:\WINDOWS\ieaw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atlaj32.exe] C:\WINDOWS\atlaj32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 14 July 2004 - 10:45 PM

Download the tool About:Buster created by Rubber Ducky. Atri's Stie or Sub's Site
Even if you downloaded this file yesterday please do so again as About:Buster could be updated more than once a day. Don't run it just yet.

Close ALL open windows such as IE, OE, Chat

Start up HijackThis; it should be only window open or on your taskbar

Press Ctrl+Alt+Del and 'end task' on any of the following that are present
C:\WINDOWS\apphw.exe
C:\WINDOWS\atlaj32.exe

Put a check next to these in hijackthis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C6302F10-16C9-D3F6-3517-DD4CF6ED9FE1} - C:\WINDOWS\ieaw32.dll
O4 - HKLM\..\Run: [atlaj32.exe] C:\WINDOWS\atlaj32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <----- Fix unless you or your system administrator has put this restriction into place using HiJackThis or SpywareBlaster

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

Start About:Buster >OK>Start>Ok. Let it run; when done it will give you a log, save a copy of it.
Run About:Buster again; save the log again but use a different name.

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:- <--- Just click that link for details on how to show hidden files.
C:\WINDOWS\ieaw32.dll
C:\WINDOWS\atlaj32.exe
C:\WINDOWS\apphw.exe
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


Then Reboot and post a fresh HiajckThis log back to this thread along with the two About:Buster logs
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 11:59 PM

how do i delete those files? basically, what do i do from here:

C:\WINDOWS\ieaw32.dll
C:\WINDOWS\atlaj32.exe
C:\WINDOWS\apphw.exe
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


and do i just put my user name in the <your profile> place?

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 15 July 2004 - 12:21 AM

how do i delete those files?  basically, what do i do from here:

C:\WINDOWS\ieaw32.dll
C:\WINDOWS\atlaj32.exe
C:\WINDOWS\apphw.exe
for these three just go to the C:\windows folder and look for the listed files (make sure of your 'Show hidden file' settings) and just Rt. click the file and choose delete. 
Or you can Start>Search>Files and Folders> type in the filename; ieaw32.dll for example; and let the Computer find the files for you, Rt. click and choose delete (or you can just drag a file to the recycle bin.)


Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
The above sentence is pretty straight forward.. in this one open the C:\Windows\Temp folder select and delete every thing in the C:\Windows\Temp folder including any other folders in there....Just don't delete C:\Windows\Temp <----- temp itself
Repeat for all the rest of the folder in the list. 

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\  <-------Yes <Your Profile> will be your(?) name
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"  <----- This one is very important

If you have some stubborn files that you can't delete reboot to Safemode (instructions) and try from there... You will ALWAYS have a few files that CAN"T be deleted from anywhere..it's fine..


Answers above in BOLD
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#5 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 12:46 AM

i need to know how to delete hidden files. i have no idea what to look for. but my coolwebsearch variant keeps changing itself, so i need to find the hidden file that it is to delete it. can anyone help me, or give me tips on what to do?

i have windows xp. (if that helps)

#6 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 03:57 PM

i've posted quite a lot, but i always seem to lose them. sorry for all the posts. I'll try to keep up with this one. :D anyways......I don't know if I have a CoolWebSearch variant or not, but my homepage keeps getting reset. I've ran Ad-Aware, Spybot, About:Buster, and many other things in normal andsafe mode, but this thing just keeps coming back and I have no idea what files to look for to delete it. Here is my HijackThis log and any help will be greatly appreciated. Thanks in advance


Logfile of HijackThis v1.98.0
Scan saved at 4:56:23 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\apphw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netou.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\spyware programs\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\guyuc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://guyuc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://guyuc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\guyuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\guyuc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://guyuc.dll/index.html#96676
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.bellsout...htm&only=y&ck="); (C:\Documents and Settings\Heather Crisco\Application Data\Mozilla\Profiles\default\zi0l0i3t.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Heather Crisco\Application Data\Mozilla\Profiles\default\zi0l0i3t.slt\prefs.js)
O2 - BHO: (no name) - {C6302F10-16C9-D3F6-3517-DD4CF6ED9FE1} - C:\WINDOWS\ieaw32.dll
O4 - HKLM\..\Run: [netou.exe] C:\WINDOWS\netou.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

For the moment, Im using Mozilla Firefox as my browser, but this is my sisters computer and she would like to use IE. So, I am trying to fix this homepage, searchpage, etc. hijack problem for her.

#7 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 04:09 PM

Go to http://easyrcon.com/spyremove/. It has instructions as well as a program that address this issue.

#8 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 05:06 PM

that didn't seem to work :techsupport:

any other suggestions, or help?

#9 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 05:31 PM

i know your not supposed to bump as i know that are tons of other people that need help also, but HELP!!!!!

haha.... :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button