Jump to content


Photo

Persistent IE Homepage Hijacker


  • Please log in to reply
3 replies to this topic

#1 adambomb223

adambomb223

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 July 2004 - 01:17 PM

I have been working on trying to remove this Homepage Hijacker for a few days now. I have tried just about every method that I have been able to find in this forum. I was only able to temporarily remove the spyware, but it keeps coming back as soon as I close and reopen Internet Explorer. The dll name has changed at least a half a dozen times, but the result is the same in the end. It just keeps coming back. Here is my Hijack This and About:Buster logs below. Any help would be greatly appreciated. Thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 2:13:48 PM, on 7/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\apiuz.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\netbp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SMC\SMC2802W 54 Mbps WLAN Utility\SMCUTIL.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Spyware Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ienan.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ienan.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ienan.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ienan.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ienan.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ienan.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4A38BC22-CA22-15D7-B07D-FA2261EB573B} - C:\WINNT\system32\sdkcu.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [netbp.exe] C:\WINNT\system32\netbp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SMC2802W 54 Mbps WLAN Utility.lnk = C:\Program Files\SMC\SMC2802W 54 Mbps WLAN Utility\SMCUTIL.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINNT\wksyja.dat
Removed! : C:\WINNT\system32\htzgd.dat
Removed! : C:\WINNT\system32\ienan.dll
Removed! : C:\WINNT\system32\netbp.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#2 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 16 July 2004 - 01:34 PM

Make sure you have the latest version of AboutBuster and have you tried running it in safe mode?
http://malwarebytes....AboutBuster.zip <---use this one for AboutBuster

There's another program out that you can try, here,s the link to it and to make sure you have he latest version of the program, here's a direct download of it.

http://www.majorgeek...wnload4286.html <---link to program info

http://www.hsremove.com/hsremove.exe <---dir download

MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#3 adambomb223

adambomb223

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 July 2004 - 02:28 PM

Ok, I downloaded the updated version of About:Buster, and HSremove. I rebooted in safe mode and ran Hijack This and cleaned the entries. Then I ran About:Buster and Hsremove respectively. While still in safe mode it seemed like Internet Explorer was back to normal. Upon reboot back into normal mode IE was still ok for about 2 opens and closes. However, when I opened it the third time it was back again. Unfortunately, I am still hijacked, any ideas.

#4 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 16 July 2004 - 03:44 PM

Post a fresh HJT log and don't reboot or shut down your computer until I get back to you. MrC
from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button