Jump to content


Photo

Need help ridding a pesky hijacker


  • Please log in to reply
25 replies to this topic

#1 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 01:28 PM

I created a thread about this about a week ago. Here is how it went:
http://www.spywarein...p?showtopic=933

Now I will explain everything that I think can help out here, and if you (potential helper) needs to know anything else, just ask, because I really want (and need) to get rid of this damn thing.

First of all, I currently have and use the following programs:
CWShredder, RapidBlasterKiller, HijackThis, Ad-Aware 6, AVG Anti-Virus, SpywareBlaster, Spybot S&D, and IE Spyad.
They are all, for the most part, updated and current. I also have TheKillBox for deleting files.

This computer is running with Windows XP Home (SP1), with three different user accounts.

Currently my home page is reset to:
http://www.microsoft...ver=6.0&ar=home
But it has also occasionally been set to a series of numbers and "%" signs, and something else much shorter (with the word "home" or "search" in it, I don't remember exactly).

The main symptom of this infection (besides the reset homepage) is, well, it hijacks my browser. Sometimes when I click a link, something else opens up that tries to redirect me to a different page. I also get popups every once in awhile trying to do the same thing. It's a bit of a hassle.

Also, every time I start up and take a look at the task manager, under the processes tab I have noticed something running titled "Iesearch.exe". I know this is not right, because it's not familiar to me. It's usually taking close to 2,500k in memory usage, and so I always manually end it when I start up.

Every time I run Ad-Aware upon restart (in safe mode or regular mode), it finds 1-2 registry values that it labels as possibile browser hijack attempts. Today it only found one of them, but here is the log of that:

Started deep registry scan

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


I've also just ran a scan with HJT. Here is the log of that:

Logfile of HijackThis v1.97.7
Scan saved at 11:00:03 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Jared\Desktop\Archives\Programs\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Brent Olsen\msopt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38062.856724537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab


I see some things in there that need to be removed (dpe.dll, msopt.dll, etc.), but for the sake of this topic I've left them there for the time being, in case that information is vital to getting rid of this stupid thing.

Second to last thing here, I've used the "PV" tool to get a list of all the processes (?) that are running for Internet Explorer when I have it open. Here is the log of that:

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1106 (xpsp1.020828-1920) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows XP USER API Client DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Light-weight Utility Library
SHDOCVW.dll 769c0000 1351680 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 773d0000 8351744 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft OLE for Windows
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32
CRYPT32.dll 762c0000 569344 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1106 (xpsp1.020828-1920) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
SDHelper.dll 1510000 733184 C:\PROGRA~1\SPYBOT~1\SDHelper.dll
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft OLE Property Support DLL
dpe.dll 10000000 81920 C:\WINDOWS\dpe.dll 1, 0, 0, 1 AnalyzeIE Module
msopt.dll 17d0000 28672 C:\Documents and Settings\Brent Olsen\msopt.dll
urlmon.dll 760f0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 (xpsp1.020828-1920) OLE32 Extensions for Win32
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
mshtml.dll 74810000 2846720 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft HTML Viewer
MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
msi.dll 1e70000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component


And finally, I went under C:\Windows, C:\Windows\System32, and the IE Explorer folders to check for any unwanted files that have been recently created (I also did this in my other topic, if necessary please refer to it as it lists some files that I won't be listing here). Here are some of the very most recent ones I discovered:

Under C:\Windows\
e.exe (created 5/19/2004)
dpe.dll (created 5/22/2004)
q1214.exe (created 5/24/2004)
q0102.exe (created 5/24/2004)

Under C:\Windows\System32\
Nothing new, besides a few I listed in my older topic. (files created on 4/26/2004)

Under C:\Program Files\Internet Explorer\ (here's some fun)
nidcxuqe.exe (created 4/24/2004)
Iesearch.exe (created 5/23/2004)
guardian.dll (created 5/23/2004)
hookDLL.dll (created 5/23/2004)
netClient.dll (created 5/23/2004)
r_process.dll (created 5/23/2004)

Under C:\Program Files\Internet Explorer\PLUGINS\
nppdf32.dll (created 5/15/2004)

I hope some or all of this information is helpful. I really want to get rid of this infection. Hopefully somebody can help me out this time, I'd really appreciate it, and if anymore info is needed just ask. Thank you.

Edited by Sane, 25 May 2004 - 05:22 PM.


#2 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 02:12 PM

Just picked up a definition update for Ad-Aware and ran another smart scan (with AOL, IE, and a couple other programs open, if that makes any difference). It found some new registry infections (values and keys). Here is the log. Guess it's a CWS infection:

Started registry scan


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{834261e1-dd97-4177-853b-c907e5d5bd6e}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261e1-dd97-4177-853b-c907e5d5bd6e}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{bd0022a3-a43f-4f44-b64f-53ea7575f097}


Registry scan result :

New objects : 5
Objects found so far: 5


Started deep registry scan


Deep registry scan result :

New objects : 0
Objects found so far: 5


Deep scanning and examining files (C:)



Performing conditional scans..


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Styles
Value : Use My Stylesheet


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


I removed them after the scan completed, but they might re-appear.

Edited by Sane, 25 May 2004 - 02:13 PM.


#3 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 25 May 2004 - 07:07 PM

Just bringing this topic back up...

Edited by Sane, 25 May 2004 - 07:07 PM.


#4 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 02:04 AM

Can anybody help?

#5 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 03:08 PM

Bringing it back up again... anybody?

#6 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 05:43 PM

???

#7 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 06:41 PM

Can somebody please help?

#8 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 08:40 PM

Still need help.

#9 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 11:52 PM

=)

Edited by Sane, 26 May 2004 - 11:53 PM.


#10 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 02:35 AM

I guess I will just keep bumping this. However I do remember a time when this site gave help a lot quicker, and it was always very good help. That was only two or three months ago -- it sure has gotten busier around here hasn't it? I could be a helper if I knew enough about what I was doing. I could do some guesswork, but obviously that's not enough.

Edited by Sane, 27 May 2004 - 02:38 AM.


#11 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 01:55 PM

Another move to the top.

#12 goldbadge

goldbadge

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 May 2004 - 02:03 PM

Ran into same problem trying to get help. Ended up gleaning the info from other posts in different threads. You should run those scans with IE shut down, in case you were running it. Also did you do the thing where you look for a dll thats listed in appinit_dll ? in the system registry ? You have to use a program called reglite to see the value, cuzz windows reg editor wont show it right. theres a procedure listed in the orum for removing the value and then the dll as well. do a search for appinit_dll or reglite and you should get some good hits. Hope that helps, Im still learning, but Im gonna get good at it and maybe open a little side business ridding peoples PC's of these things.
"G"

#13 Spamn-it-all

Spamn-it-all

    Sniffer

  • Full Member
  • Pip
  • 19 posts

Posted 27 May 2004 - 02:07 PM

Hi. I've had similar problems - DLLs that keep re-appearing even if removed w/ Ad-aware (I'd 1st stop rundll32.exe w/ Task Manager - otherwise Ad-aware couldn't deleted them at all). Still they came back: part of VX2.BetterInternet. SO I downloaded the official VX2 Finder:
http://tools.zerosre...m/VX2Finder.exe
- developed by a Lavasoft (Ad-aware) coder.
Seems to have helped. Before, my SpywareGuard settings were being erased on every re-boot, too - the settings to provide Download Protection & to block harmfull DLLs from running kept "un-checking". I ran the VX2finder & re-booted. Voila! My SG settings stayed put & a check w/ Ad-aware found NOTHING!!!! :D
So far, so good, but I've had this cleared up before & it came back, so I'm not relaxing just yet.
Still, give it a try, especially if you keep seeing VX2 stuff in your Ad-aware scans.

Edited by Spamn-it-all, 27 May 2004 - 02:08 PM.

Spamn-it-all!
Where are we going? And what am I doing in this handbasket?

#14 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 02:13 PM

I appreciate both of your replies but neither helps me. To the first - I don't know anything about going into or editing the registry, and I don't know of this "appinit_dll" that you're referring to, I don't remember coming across that. To the second - I'm pretty sure my infection is not the "VX2.BetterInternet" variant. However I am still fairly sure of a few files associated with the infection, and I should mention...

Last night I did the following tasks on my own:

With HJT I checked for removal the following two entries:
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

I then ran TheKillBox and deleted-on-reboot the file "C:\Program Files\Internet Explorer\Iesearch.exe".

I know more needs to be done, but these were just a few things that I was 99% sure weren't right, and I wanted to at least do something about it.

Now CWShredder doesn't find anything when I scan with it, but the registry values are still caught by Ad-Aware upon restart, and my IE homepage is still being reset. Furthermore, all the other files I listed in the first post of this topic are still present (in case any of them are a part of the infection).

So further instructions are still needed. Anybody?

#15 goldbadge

goldbadge

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 May 2004 - 03:45 PM

If you visit this thread you will see what I'm talking about concerning the appinit_dll. read the thread thru pretty good as the solution changes somewhat as people have difficulty removing the offending dll. Hope this helps. http://www.spywarein...topic=1499&st=0

#16 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 05:04 PM

I do not feel safe following the advice of another person's thread when the symptoms don't appear to be the same as mine. I've also been told it's risky business going into the registry to edit things, so I'd rather get specific advice pertinent to my own situation if that's what I have to do.

If I don't receive any help by tomorrow evening, I think I'll just do some guesswork myself and try to fix it on my own. I understand how busy this site is, and that my problem may not have an easy or even known solution.

Edited by Sane, 27 May 2004 - 05:05 PM.


#17 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 08:00 PM

Second to last bump for tonight.

#18 goldbadge

goldbadge

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 27 May 2004 - 11:06 PM

Well dude, do what ya gotta do but don't expect quick service here. There shouldnt be anything in the section of the registry appinit_dll, so if reg lite has a value there you better remove it according to that other thread. I bumped a topic for a week and no responses. Do yourself a favor and start reading and searching. Empower yourself and don't be a slave top waiting for these guys, when the help might not come. As for you not feeling safe doing anything, you didnt have a problem going to questionable sites to become infected in the first place. We all know thats where this stuff comes from 90% of the time.

#19 bankwest

bankwest

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 May 2004 - 08:41 AM

I just had to add that I am with you on getting help from this site. Few months ago I got a response the same day on helping with the HJT log and now I have had a new post and one from work that is probably 2 weeks old. Moved it to the top a few times and nothing. Not sure what guidelines they use to decide who they will help and who they ignore. I am frustrated. Anyone know of other sites that can help. These guys are great and I know they must be overwhelmed with postings BUT..............When I need help, I need help.

I guess will have to try to learn more of this and faster.......

#20 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 29 May 2004 - 05:56 PM

There shouldnt be anything in the section of the registry appinit_dll, so if reg lite has a value there you better remove it according to that other thread.

Are you sure about this? Because I ran Registrar and followed the instruction, and for the AppInit_DLLs it found "c:\windows\system32\comjpd.dll". But that's not the same .dll as discussed in the other thread. Can I be sure that it's still a bad thing, and that I should handle it the same way?

#21 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 29 May 2004 - 08:08 PM

??

#22 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 12:17 AM

bump.

#23 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 05:25 PM

:huh:

#24 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 31 May 2004 - 05:18 PM

Can anybody answer that question? :oops:

#25 Sane

Sane

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 01 June 2004 - 03:06 AM

:wtf:

#26 Miker

Miker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 June 2004 - 05:14 PM

I can sense your frustration with all of this...I don't know where you are in terms of a fix for your problem but the answer is out there.

My hijack problem didn't sound as severe as yours, but the steps I took to get it fixed, resulted in getting the problems solved in less than a day:

1. Read and follow the FAQ. (it is a lot of work but it solved 85% of the problem)
2. When you post to the forum say that you read and followed the FAQ and here are the results with the Hijack log.

It did take more time on my part but I did learn a couple of things about the solution. One suggestion I would have to you is to start fresh with the forum. Maybe a new registration and then when you post your query make your topic and discussion line relevant to what you have done. Say that you follwed the FAQ and that here are the results. Above be thoughtful of others and why they are here. People will always offer suggestions but if you slag everything they say, they will stop offering help.

Best of luck!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button