Jump to content


Photo

Home Search is frustrating me


  • Please log in to reply
4 replies to this topic

#1 Frustrated123

Frustrated123

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 07:17 PM

I have read the FAQ and some of the other tutorials in regards to HJT... Please forgive my lack of knowledge, but could really use some help. I have ran HJT (log pasted below). I'm hesitant to start fixing files that may or may not be the issue, though I do have a few suspects This is my work machine as well, so dumping the OS is not an option without a huge hastle from my IT dept.

When the log below was ran, I've already ran Adaware, Spybot, CWShredder, HSRemove, and About:Buster... all in safe mode with System Restore turned off and multiple attempts to restart with different combonations of the above mentioned programs.

The site that I keep getting reverted to is res://lqjcd.dll/index.html#96676.

Sorry for the novel and thanks in advance for any help that I receive.


Logfile of HijackThis v1.97.7
Scan saved at 5:12:18 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\SRF1002\Desktop\Original Application Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqjcd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lqjcd.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lqjcd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqjcd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lqjcd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lqjcd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Stanley Works
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://stanleyatwork/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CE5C452C-058A-9C91-01C2-9E4F99DB5962} - C:\WINDOWS\d3zy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\eayluey.exe
O4 - HKLM\..\Run: [tfxpivxshcsp] C:\WINDOWS\System32\fqhpndjb.exe
O4 - HKLM\..\Run: [sysys32.exe] C:\WINDOWS\sysys32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Rtob] C:\Documents and Settings\SRF1002\Application Data\patt.exe
O4 - HKCU\..\Run: [Zcngvr] C:\WINDOWS\System32\ksdd.exe
O4 - HKLM\..\RunOnce: [crxw32.exe] C:\WINDOWS\system32\crxw32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://stanleyatwork
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37893.521087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab

#2 Frustrated123

Frustrated123

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 08:20 PM

As I continue to try to get this figured out, I now have a different start page comming up. I could really use some help. I have all of my logs from all of the programs... let me know what can help you out.

Thanks again...

#3 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 16 July 2004 - 06:38 AM

Hey Frustrated,
Download AboutBuster. Unzip it to your desktop, but do not run it yet.

Post a fresh log here for review.

#4 kdallmer

kdallmer

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 July 2004 - 09:36 AM

:huh: The offending problem is HSA or Home Search Assitant

I found two way to fix this issue..

Microsoft page: http://support.micro...spx?kbid=247501

or a utility at http://hsremove.bravehost.com and download hsremove.exe

run it and it seems to work...

***** New ***

This only fixed part of my issue... there still is something that wants to reload the redirecting software. Will get back

***** Update ****

ALL,

I had to disable spybot and run in safe mode, and this cleaned everything...

The only thing is when your done you have to reset your home and search pages as this utility changes them to a confirmation page that your system is clean...

Edited by kdallmer, 16 July 2004 - 09:54 AM.


#5 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 July 2004 - 06:18 PM

kdallmer,

This is a known CWS variant with a known fix that 808chick is qualified to fix... Please do not suggest addtional untested fixes to confuse the situation... If you are interested in learning how to be a qualified Helper, check this information:

http://forums.spywar...?showtopic=9270
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button