• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LoXeN

Jacked by index.html#37794- Please look at log.

10 posts in this topic

Cant seem to kill. this thing no matter what.

 

 

Thanks for taking the time to look and help!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:23:57 AM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\sdkyh32.exe

C:\WINDOWS\system32\iprh32.exe

C:\Documents and Settings\Jeremy\Desktop\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksnf.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksnf.dll/index.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksnf.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksnf.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uksnf.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uksnf.dll/sp.html#37794

O2 - BHO: (no name) - {22FC434A-3E8C-40D7-EB9E-4324CBFEC077} - C:\WINDOWS\system32\mfciz.dll

O4 - HKLM\..\Run: [sdkyh32.exe] C:\WINDOWS\system32\sdkyh32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [crcs32.exe] C:\WINDOWS\crcs32.exe

O4 - HKLM\..\RunOnce: [iprh32.exe] C:\WINDOWS\system32\iprh32.exe

Edited by LoXeN

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 11:28:32 AM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\iprh32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\NetLimiter\NetLimiter.exe

C:\Program Files\BitTorrent\btdownloadgui.exe

C:\Program Files\BitTorrent\btdownloadgui.exe

C:\Program Files\BitTorrent\btdownloadgui.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\sysxy32.exe

C:\Documents and Settings\Jeremy\Desktop\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nsglb.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nsglb.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nsglb.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {22FC434A-3E8C-40D7-EB9E-4324CBFEC077} - C:\WINDOWS\system32\mfciz.dll

O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [sysxy32.exe] C:\WINDOWS\sysxy32.exe

O4 - HKLM\..\RunOnce: [iprh32.exe] C:\WINDOWS\system32\iprh32.exe

Share this post


Link to post
Share on other sites

That's the complete log?

What happened to the 05s to at least 016s entries?

I'll take your word for it for now.

 

There's several methods to deal with this hijacker.

I have had the best results using the method at this link, please follow them carefully and read thru my post before you start:

 

http://www.pchell.com/support/onlythebest.shtml

 

To insure you have the latest version of AboutBuster, here's a direct download of it from the authors site:

 

http://malwarebytes.biz/AboutBuster.zip

 

I have also found that you may have to run AboutBuster several times until it has found and deleted all the bad files.

 

These are all the bad entries in your log as of now, if you reboot they may change:

 

C:\WINDOWS\nsglb.dll <---this is the file that's "taking over your computer"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nsglb.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nsglb.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsglb.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nsglb.dll/index.html#37794

 

O2 - BHO: (no name) - {22FC434A-3E8C-40D7-EB9E-4324CBFEC077} - C:\WINDOWS\system32\mfciz.dll

 

O4 - HKLM\..\Run: [sysxy32.exe] C:\WINDOWS\sysxy32.exe

O4 - HKLM\..\RunOnce: [iprh32.exe] C:\WINDOWS\system32\iprh32.exe

 

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

 

To clean up your host files, here's an easier method:

 

Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

 

When you're finished:

 

 

Boot back into normal mode. Click here http://www.davehigham.zen.co.uk/downloads/cwsuninst.zip to download cwsuninst.zip. Extract cwsuninst.reg from the zip file and save it to the desktop. When done, double-click the cwsuninst.reg and when asked to merge say yes.

 

Reboot and post a fresh HJT log and lets see how we did. MrC

Share this post


Link to post
Share on other sites

Took a few trys and a bit of time. I found the main file that brought everything back was APPYK32.exe as this file never changed like the rest did. After deleting this one running through the steps then also running regedit and removing all info having to do with APPYK32.exe.

 

After that things stayed deleted like that BHO that kept comming back :)

 

Thanks again for ya help!

 

This was a nasty one :D

 

 

Logfile of HijackThis v1.98.0

Scan saved at 6:09:37 AM, on 7/19/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Jeremy\Desktop\Hijack This\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

Share this post


Link to post
Share on other sites

That's the shortest log I've ever seen and I even going to make it shorter.

 

With only HJT running fix this one, It's just a "dud" nothing to worry about:

 

R3 - Default URLSearchHook is missing

 

 

That should do it, if you have any questions or any more problems - please post back.

 

I'll leave you with......

 

Some preventive maintenance:

 

Visit Windows Update and install all the lastest critical updates.

 

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked. Check for updates weekly.

 

SpywareBlaster

 

SpywareGuard

 

Need a free anti virus?

AVG*free

(check for updates - daily)

 

How about a firewall?

ZoneAlarm*free

DirectDownload ZA 4.5.594.000 <---use this version for now

 

Free spyware removal programs:

SpyBot

AD-Aware

 

DSO Exploit

DSO Exploit Protection

 

Pop-up stoppers:

GoogleToolBar

Pop-upStopperFree

 

Don't open e-mail attachments without first scanning them with an up-to-date

anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.

Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

 

Good luck and thanks for using the forum - MrC

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0