Jump to content


Photo

Cool Web Search hijacking my settings


  • This topic is locked This topic is locked
13 replies to this topic

#1 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 02:37 AM

My IE setting are hijacked and taking to a different start page.

I faced this issue earlier and used CWShredder successfully. But, CSShredder 1.57.0 is not removing the problem.

I also used HijackThis 1.97.7. But not able to remove the problem.

Logfile of HijackThis v1.97.7
Scan saved at 1:05:06 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Virus-Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: Add to AD Black List - E:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JavaConnect - http://171.71.179.24...JavaConnect.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://E:\Documents and Settings\Marutha\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5

I also try using Spybot 1.3, this particular problem is not detected but the problem still exsists.

#2 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 05:05 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

this one is suggested fix because its a resorce hogg and not needed in startup.
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

Reboot and post fresh log .

If still no change after that ,try running CWshredder in safe mode .
How to start computer in safe mode

Edited by billiebob, 23 May 2004 - 05:06 AM.


#3 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 05:43 AM

Thanks for your help.

The problem is still not fixed.

I tried HijackThis as per your guidance, the problem was not solved. Also tried running CWShredder is safemode the problem is not resolved.

The new log after above 2 steps is enclosed.

Logfile of HijackThis v1.97.7
Scan saved at 4:10:40 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Virus-Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: Add to AD Black List - E:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JavaConnect - http://171.71.179.24...JavaConnect.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://E:\Documents and Settings\Marutha\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5

Thanks for your help.

#4 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 06:01 AM

Ok . ,this time i want you to reboot to safe mode and run cwshredder and then still in safe mode run hijackthis and fix these again .

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

also the 016's can all be fixed the good ones will come back the next time you visit that site .
reboot and post new log .

Edited by billiebob, 23 May 2004 - 06:11 AM.


#5 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 09:03 AM

First of all thanks for guiding me in resolving this issue. But no luck. I did the recommended steps in the safemode, bue Cool Web Search issue is still there.

Few additional observations

1. When I run CWShredder (whatever mode, even after HijackThis) it is not reporting any issue. i.e. All checks are passing without reporting any detection of issue.

2. At the first start-up of the browser, to installation atemps are being done automatically, and pops up dialog to which I say "No"

a. Do you want to install and run "ms-its:mhtml:file//c:\nosuch.mht! http//cashsearch.biz/leagal/x.chm::load.exe?

b. ........ c:/recyclebin/1.htm... (or something similar)

3. I see lot of warning from McAfee virus scan, but these warning are unable to be fixed by the scanner

Virus Names are

a. Exploit-MhtRedir.gen
b. Exploit-CodeBase.gen

The log file after run through your recommended steps in safe mode and using the browser to access this page is

Logfile of HijackThis v1.97.7
Scan saved at 7:32:15 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\notepad.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Virus-Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: Add to AD Black List - E:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5

Thanks for yout time and help.

#6 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 09:11 AM

Ok,sorry this isn't working for you ,lets try emptying temp internet file .
In IE go to tools/internet options/empty temporary internet file/ and delet file and cookies. then do the fix again of these .
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
then lets run the free online virus scan HERE,check off auto fix before you run the scan,when the page loads .

reboot and post new log .

Edited by billiebob, 23 May 2004 - 09:12 AM.


#7 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 09:33 AM

Things are getting worst.

I have enabled Spybot-S&D resident. So, when I remove the entries as you have said through HijackThis, I get notification from Spybot saying that registry entries are being revoked back to "http://greatsearch.biz". Even if I deny, two entries are invariably getting changed. (Observed through HijackThis log file.

I am trying the online Virus Scan. Will post result after that.

Meanwhile this is my latest log file:

Logfile of HijackThis v1.97.7
Scan saved at 8:00:53 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Virus-Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: Add to AD Black List - E:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0346DE54-A305-40B5-85E1-82CCE5B8B530}: NameServer = 61.1.192.65 61.0.0.5

Please help, I desparately need a solution. Thanks for your support again.

#8 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 09:37 AM

ok,I'm searching the fourms and others are having the same problems with it ,I will be back with instructions on how to remove the bad files ,as soon as I figure out what instructions are the best ones .

#9 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 09:44 AM

Back all ready lets try this

Edit .if you read this all ready ,update what i said .

Ok please copy the contents of the quote box to notepad:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]





hit save as
give it the name clear.reg
under the filename set file types to all files.
save it to the desktop.

After done double click the clear.reg
when asked to merge say yes

reboot

then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.

Than fix these with hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

Reboot and post a new log .

Edited by billiebob, 23 May 2004 - 10:23 AM.


#10 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 10:10 AM

Thanks for elploring solution to this problem.

Few quick questions

1. When I double click it gives an error saying "...this is not a regitry script...you can import binary registry file only from registry editor..." so I used RegetLite and imported this file.

I hope this is fine.

2. I am unable to delete the system32.dll, it says access denied. Do I have to do this in safemode?

#11 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 10:17 AM

I edited the post above follow the instructions again ,i will post a killbox tool in a minute to help delete the file..

#12 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 10:19 AM

use this tool to delete the file .
http://www.downloads...org/KillBox.zip

Edited by billiebob, 23 May 2004 - 10:21 AM.


#13 marutha

marutha

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 10:39 AM

Hurray!!!!

I guess the problem is solved now!!!!

Thank you for all your help. I really appreciate it.

Here is the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 9:05:06 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
E:\Virus-Protection\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] E:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = E:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: Add to AD Black List - E:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Please confirm that the log looks fine and no more issue.

Do I have to do anything more?

Also, how do I protect myself from future attack.

Thanks once again for all your help.

#14 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 23 May 2004 - 12:57 PM

Great check this site and download the suggested programs .

http://www.computerc...tlite7736-.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button