• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hammer2

homepage hijacker!

11 posts in this topic

hello, I could really use some help. I even tried calling my brother who is really good with computers and tried all his solutions and its still broke! Basically my homepage was hijacked and it won't allow me to block it in the internet settings. I tried the steps explained on this website with going and deleting all the .tmp files and going through the "04's" in hyjack this. I have even tried going through my registry and deleting crap that doesn't belong there. The website that shows up is "search-all-fast.com and its stupid popups such as search-all-fast.com/pop/popup6.php?pin=23999." This is on my work computer and its very annoying... I am hoping someone can help me. After I run CW shreder, spybot, adaware and hijack this, the second time after fixing everything, when I open the internet explorer, it comes right back. help please! I even tried spywareBlaster and that didn't work for me either...

ps. I read the FAQ's on your site and tried all step by step instructions, still can't fix it....

Share this post


Link to post
Share on other sites

I also downloaded AboutBuster and when I run spybot I still get "DSO Exploit" - registry change in my internet settings...

Share this post


Link to post
Share on other sites

Still didn't work.... Every time I delet the incorrect ones on this program they just come back....

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:14:26 AM, on 7/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\javaey32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\system32\adddm32.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\hijackthis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgqoq.dll/index.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {ED698817-1234-1F47-935F-6D8446D4E454} - C:\WINDOWS\system32\crpx32.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdesign.com

O17 - HKLM\Software\..\Telephony: DomainName = archdesign.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{75BDFC91-DCE9-4756-9390-0938359812BC}: NameServer = 192.168.1.103

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = archdesign.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{75BDFC91-DCE9-4756-9390-0938359812BC}: NameServer = 192.168.1.103

Share this post


Link to post
Share on other sites

Run hjt, and check the following boxes, than go ahead and let it fix/erase the following lines:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgqoq.dll/index.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe

 

Reboot comp in safe mode (hit and hold F8 when it boots up)

 

Delete the following files if you find them, making sure that you can see hidden files

(To show hidden files go to control panel ---> appearance and themes ---> folder options ---> select the "View" tab" and enable "Show hidden files and folders". You will get a warning saying that some hidden files are essential to the OS and that deleting them will cause th program to not work. Click "Yes")

 

C:\WINDOWS\javaey32.exe

C:\WINDOWS\Explorer.EXE <---- This is a disguised trojan. Delete. Your reall one would be found in the c:\winnt\system32

 

After that ensure you have the latest updates and rerun Adaware, CWS, and your anti-virus program. Than make sure you are disconnected from the internet, run About:Buster

 

Once that is done, if its not already taken care of, Reset your registry keys. If you need to know how to do that let me know.

 

 

Reboot in normal mode. Run hjt once again and post your log so that I can see if you're clean.

Share this post


Link to post
Share on other sites

one more thing, before you reboot in normal mode, clean out your cookies, temporary internet files, and recycle bin. Just a precaution.

Share this post


Link to post
Share on other sites

It won't let me delete the "Explorer.EXE" its says its either in use or right protected, and just to be safe I looked for c:\winnt\system32 and that folder doesn't exist... I also didn't find C:\WINDOWS\javaey32.exe and I don't know how to reset my registry keys...

Share this post


Link to post
Share on other sites

Hammer2:

 

The statement:

 

"C:\WINDOWS\Explorer.EXE <---- This is a disguised trojan. Delete. Your reall one would be found in the c:\winnt\system32"

 

I would check with a "helper" on these boards before you delete that file. I may be wrong but I think it is incorrect.....

 

Edit: Good thing you weren't able to delete that file hammer...here is a link to a good resource that explains what should be running where it goes with a fresh Windows install. That is not a trojan!

 

http://spywarewarrior.com/viewtopic.php?t=3773

Edited by IndiGenus

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0