Jump to content


Photo

homepage hijacker!


  • Please log in to reply
10 replies to this topic

#1 hammer2

hammer2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 July 2004 - 04:31 PM

hello, I could really use some help. I even tried calling my brother who is really good with computers and tried all his solutions and its still broke! Basically my homepage was hijacked and it won't allow me to block it in the internet settings. I tried the steps explained on this website with going and deleting all the .tmp files and going through the "04's" in hyjack this. I have even tried going through my registry and deleting crap that doesn't belong there. The website that shows up is "search-all-fast.com and its stupid popups such as search-all-fast.com/pop/popup6.php?pin=23999." This is on my work computer and its very annoying... I am hoping someone can help me. After I run CW shreder, spybot, adaware and hijack this, the second time after fixing everything, when I open the internet explorer, it comes right back. help please! I even tried spywareBlaster and that didn't work for me either...
ps. I read the FAQ's on your site and tried all step by step instructions, still can't fix it....

#2 hammer2

hammer2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 July 2004 - 04:52 PM

I also downloaded AboutBuster and when I run spybot I still get "DSO Exploit" - registry change in my internet settings...

#3 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 04:55 PM

http://easyrcon.com/spyremove/ this should help u out. Run it and d/l hijackthis and post the log to make sure its clean

#4 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 04:56 PM

correction d/l the program from this website. d/l hijackthis at http://www.spywarein.../downloads.html

#5 hammer2

hammer2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 07:18 AM

which program am I downloading from that site? I already have hijack this and it didn't fix it

#6 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 07:27 AM

d/l removespy.zip from http://easyrcon.com/spyremove/ It also has instructions how to manually remove it if the program doesn't work. Your hjt version should be 1.98

#7 hammer2

hammer2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 07:49 AM

Still didn't work.... Every time I delet the incorrect ones on this program they just come back....


Logfile of HijackThis v1.98.0
Scan saved at 9:14:26 AM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\javaey32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\adddm32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgqoq.dll/index.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED698817-1234-1F47-935F-6D8446D4E454} - C:\WINDOWS\system32\crpx32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = archdesign.com
O17 - HKLM\Software\..\Telephony: DomainName = archdesign.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{75BDFC91-DCE9-4756-9390-0938359812BC}: NameServer = 192.168.1.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = archdesign.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{75BDFC91-DCE9-4756-9390-0938359812BC}: NameServer = 192.168.1.103

#8 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 09:43 AM

Run hjt, and check the following boxes, than go ahead and let it fix/erase the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lgqoq.dll/index.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lgqoq.dll/sp.html#23999
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lgqoq.dll/index.html#23999
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe

Reboot comp in safe mode (hit and hold F8 when it boots up)

Delete the following files if you find them, making sure that you can see hidden files
(To show hidden files go to control panel ---> appearance and themes ---> folder options ---> select the "View" tab" and enable "Show hidden files and folders". You will get a warning saying that some hidden files are essential to the OS and that deleting them will cause th program to not work. Click "Yes")

C:\WINDOWS\javaey32.exe
C:\WINDOWS\Explorer.EXE <---- This is a disguised trojan. Delete. Your reall one would be found in the c:\winnt\system32

After that ensure you have the latest updates and rerun Adaware, CWS, and your anti-virus program. Than make sure you are disconnected from the internet, run About:Buster

Once that is done, if its not already taken care of, Reset your registry keys. If you need to know how to do that let me know.


Reboot in normal mode. Run hjt once again and post your log so that I can see if you're clean.

#9 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 09:46 AM

one more thing, before you reboot in normal mode, clean out your cookies, temporary internet files, and recycle bin. Just a precaution.

#10 hammer2

hammer2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2004 - 10:48 AM

It won't let me delete the "Explorer.EXE" its says its either in use or right protected, and just to be safe I looked for c:\winnt\system32 and that folder doesn't exist... I also didn't find C:\WINDOWS\javaey32.exe and I don't know how to reset my registry keys...

#11 Guest_IndiGenus_*

Guest_IndiGenus_*
  • Guests

Posted 16 July 2004 - 11:54 AM

Hammer2:

The statement:

"C:\WINDOWS\Explorer.EXE <---- This is a disguised trojan. Delete. Your reall one would be found in the c:\winnt\system32"

I would check with a "helper" on these boards before you delete that file. I may be wrong but I think it is incorrect.....

Edit: Good thing you weren't able to delete that file hammer...here is a link to a good resource that explains what should be running where it goes with a fresh Windows install. That is not a trojan!

http://spywarewarrior.com/viewtopic.php?t=3773

Edited by IndiGenus, 16 July 2004 - 01:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button