• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Sane

Need help ridding a pesky hijacker

26 posts in this topic

I created a thread about this about a week ago. Here is how it went:

http://www.spywareinfoforum.com/index.php?showtopic=933

 

Now I will explain everything that I think can help out here, and if you (potential helper) needs to know anything else, just ask, because I really want (and need) to get rid of this damn thing.

 

First of all, I currently have and use the following programs:

CWShredder, RapidBlasterKiller, HijackThis, Ad-Aware 6, AVG Anti-Virus, SpywareBlaster, Spybot S&D, and IE Spyad.

They are all, for the most part, updated and current. I also have TheKillBox for deleting files.

 

This computer is running with Windows XP Home (SP1), with three different user accounts.

 

Currently my home page is reset to:

http://www.microsoft.com/isapi/redir.dll?p...ver=6.0&ar=home

But it has also occasionally been set to a series of numbers and "%" signs, and something else much shorter (with the word "home" or "search" in it, I don't remember exactly).

 

The main symptom of this infection (besides the reset homepage) is, well, it hijacks my browser. Sometimes when I click a link, something else opens up that tries to redirect me to a different page. I also get popups every once in awhile trying to do the same thing. It's a bit of a hassle.

 

Also, every time I start up and take a look at the task manager, under the processes tab I have noticed something running titled "Iesearch.exe". I know this is not right, because it's not familiar to me. It's usually taking close to 2,500k in memory usage, and so I always manually end it when I start up.

 

Every time I run Ad-Aware upon restart (in safe mode or regular mode), it finds 1-2 registry values that it labels as possibile browser hijack attempts. Today it only found one of them, but here is the log of that:

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

I've also just ran a scan with HJT. Here is the log of that:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:00:03 AM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Internet Explorer\Iesearch.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Documents and Settings\Jared\Desktop\Archives\Programs\Hijack This\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Brent Olsen\msopt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab

O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab

O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38062.856724537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

 

I see some things in there that need to be removed (dpe.dll, msopt.dll, etc.), but for the sake of this topic I've left them there for the time being, in case that information is vital to getting rid of this stupid thing.

 

Second to last thing here, I've used the "PV" tool to get a list of all the processes (?) that are running for Internet Explorer when I have it open. Here is the log of that:

 

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer

ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1106 (xpsp1.020828-1920) NT Layer DLL

kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL

USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows XP USER API Client DLL

GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL

ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API

RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Procedure Call Runtime

SHLWAPI.dll 70a70000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Light-weight Utility Library

SHDOCVW.dll 769c0000 1351680 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Doc Object and Control Library

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

SHELL32.dll 773d0000 8351744 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

ole32.dll 771b0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft OLE for Windows

BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library

appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library

UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library

WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32

CRYPT32.dll 762c0000 569344 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1106 (xpsp1.020828-1920) Crypto API32

MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API

SDHelper.dll 1510000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll

olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL

dpe.dll 10000000 81920 C:\WINDOWS\dpe.dll 1, 0, 0, 1 AnalyzeIE Module

msopt.dll 17d0000 28672 C:\Documents and Settings\Brent Olsen\msopt.dll

urlmon.dll 760f0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 (xpsp1.020828-1920) OLE32 Extensions for Win32

SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5

mshtml.dll 74810000 2846720 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Viewer

MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

msi.dll 1e70000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer

wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL

MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL

msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component

 

And finally, I went under C:\Windows, C:\Windows\System32, and the IE Explorer folders to check for any unwanted files that have been recently created (I also did this in my other topic, if necessary please refer to it as it lists some files that I won't be listing here). Here are some of the very most recent ones I discovered:

 

Under C:\Windows\

e.exe (created 5/19/2004)

dpe.dll (created 5/22/2004)

q1214.exe (created 5/24/2004)

q0102.exe (created 5/24/2004)

 

Under C:\Windows\System32\

Nothing new, besides a few I listed in my older topic. (files created on 4/26/2004)

 

Under C:\Program Files\Internet Explorer\ (here's some fun)

nidcxuqe.exe (created 4/24/2004)

Iesearch.exe (created 5/23/2004)

guardian.dll (created 5/23/2004)

hookDLL.dll (created 5/23/2004)

netClient.dll (created 5/23/2004)

r_process.dll (created 5/23/2004)

 

Under C:\Program Files\Internet Explorer\PLUGINS\

nppdf32.dll (created 5/15/2004)

 

I hope some or all of this information is helpful. I really want to get rid of this infection. Hopefully somebody can help me out this time, I'd really appreciate it, and if anymore info is needed just ask. Thank you.

Edited by Sane

Share this post


Link to post
Share on other sites

Just picked up a definition update for Ad-Aware and ran another smart scan (with AOL, IE, and a couple other programs open, if that makes any difference). It found some new registry infections (values and keys). Here is the log. Guess it's a CWS infection:

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : analyzeie.dompeek

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : analyzeie.dompeek.1

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{834261e1-dd97-4177-853b-c907e5d5bd6e}

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261e1-dd97-4177-853b-c907e5d5bd6e}

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : TYPELIB\{bd0022a3-a43f-4f44-b64f-53ea7575f097}

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 5

Objects found so far: 5

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 5

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Internet Explorer\Styles

Value : Use My Stylesheet

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

I removed them after the scan completed, but they might re-appear.

Edited by Sane

Share this post


Link to post
Share on other sites

I guess I will just keep bumping this. However I do remember a time when this site gave help a lot quicker, and it was always very good help. That was only two or three months ago -- it sure has gotten busier around here hasn't it? I could be a helper if I knew enough about what I was doing. I could do some guesswork, but obviously that's not enough.

Edited by Sane

Share this post


Link to post
Share on other sites

Ran into same problem trying to get help. Ended up gleaning the info from other posts in different threads. You should run those scans with IE shut down, in case you were running it. Also did you do the thing where you look for a dll thats listed in appinit_dll ? in the system registry ? You have to use a program called reglite to see the value, cuzz windows reg editor wont show it right. theres a procedure listed in the orum for removing the value and then the dll as well. do a search for appinit_dll or reglite and you should get some good hits. Hope that helps, Im still learning, but Im gonna get good at it and maybe open a little side business ridding peoples PC's of these things.

"G"

Share this post


Link to post
Share on other sites

Hi. I've had similar problems - DLLs that keep re-appearing even if removed w/ Ad-aware (I'd 1st stop rundll32.exe w/ Task Manager - otherwise Ad-aware couldn't deleted them at all). Still they came back: part of VX2.BetterInternet. SO I downloaded the official VX2 Finder:

http://tools.zerosrealm.com/VX2Finder.exe

- developed by a Lavasoft (Ad-aware) coder.

Seems to have helped. Before, my SpywareGuard settings were being erased on every re-boot, too - the settings to provide Download Protection & to block harmfull DLLs from running kept "un-checking". I ran the VX2finder & re-booted. Voila! My SG settings stayed put & a check w/ Ad-aware found NOTHING!!!! :D

So far, so good, but I've had this cleared up before & it came back, so I'm not relaxing just yet.

Still, give it a try, especially if you keep seeing VX2 stuff in your Ad-aware scans.

Edited by Spamn-it-all

Share this post


Link to post
Share on other sites

I appreciate both of your replies but neither helps me. To the first - I don't know anything about going into or editing the registry, and I don't know of this "appinit_dll" that you're referring to, I don't remember coming across that. To the second - I'm pretty sure my infection is not the "VX2.BetterInternet" variant. However I am still fairly sure of a few files associated with the infection, and I should mention...

 

Last night I did the following tasks on my own:

 

With HJT I checked for removal the following two entries:

O4 - HKLM\..\Run: [iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

 

I then ran TheKillBox and deleted-on-reboot the file "C:\Program Files\Internet Explorer\Iesearch.exe".

 

I know more needs to be done, but these were just a few things that I was 99% sure weren't right, and I wanted to at least do something about it.

 

Now CWShredder doesn't find anything when I scan with it, but the registry values are still caught by Ad-Aware upon restart, and my IE homepage is still being reset. Furthermore, all the other files I listed in the first post of this topic are still present (in case any of them are a part of the infection).

 

So further instructions are still needed. Anybody?

Share this post


Link to post
Share on other sites

I do not feel safe following the advice of another person's thread when the symptoms don't appear to be the same as mine. I've also been told it's risky business going into the registry to edit things, so I'd rather get specific advice pertinent to my own situation if that's what I have to do.

 

If I don't receive any help by tomorrow evening, I think I'll just do some guesswork myself and try to fix it on my own. I understand how busy this site is, and that my problem may not have an easy or even known solution.

Edited by Sane

Share this post


Link to post
Share on other sites

Well dude, do what ya gotta do but don't expect quick service here. There shouldnt be anything in the section of the registry appinit_dll, so if reg lite has a value there you better remove it according to that other thread. I bumped a topic for a week and no responses. Do yourself a favor and start reading and searching. Empower yourself and don't be a slave top waiting for these guys, when the help might not come. As for you not feeling safe doing anything, you didnt have a problem going to questionable sites to become infected in the first place. We all know thats where this stuff comes from 90% of the time.

Share this post


Link to post
Share on other sites

I just had to add that I am with you on getting help from this site. Few months ago I got a response the same day on helping with the HJT log and now I have had a new post and one from work that is probably 2 weeks old. Moved it to the top a few times and nothing. Not sure what guidelines they use to decide who they will help and who they ignore. I am frustrated. Anyone know of other sites that can help. These guys are great and I know they must be overwhelmed with postings BUT..............When I need help, I need help.

 

I guess will have to try to learn more of this and faster.......

Share this post


Link to post
Share on other sites
There shouldnt be anything in the section of the registry appinit_dll, so if reg lite has a value there you better remove it according to that other thread.

Are you sure about this? Because I ran Registrar and followed the instruction, and for the AppInit_DLLs it found "c:\windows\system32\comjpd.dll". But that's not the same .dll as discussed in the other thread. Can I be sure that it's still a bad thing, and that I should handle it the same way?

Share this post


Link to post
Share on other sites

I can sense your frustration with all of this...I don't know where you are in terms of a fix for your problem but the answer is out there.

 

My hijack problem didn't sound as severe as yours, but the steps I took to get it fixed, resulted in getting the problems solved in less than a day:

 

1. Read and follow the FAQ. (it is a lot of work but it solved 85% of the problem)

2. When you post to the forum say that you read and followed the FAQ and here are the results with the Hijack log.

 

It did take more time on my part but I did learn a couple of things about the solution. One suggestion I would have to you is to start fresh with the forum. Maybe a new registration and then when you post your query make your topic and discussion line relevant to what you have done. Say that you follwed the FAQ and that here are the results. Above be thoughtful of others and why they are here. People will always offer suggestions but if you slag everything they say, they will stop offering help.

 

Best of luck!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0