Jump to content


Photo

Russian search bar uses "404" page


  • Please log in to reply
4 replies to this topic

#1 Cheyenne

Cheyenne

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 12:02 AM

Help! My "404" Error page has been hijacked!!

I get an error message whenever I type a bad URL -- PLUS a Search/Tool Bar!

That's a little added extra. See the attached .txt for the source code. The active element seems to be:

CLASSID='clsid:B45FF030-4447-11D2-85DE-00C04FA35C89'

Any clue on how to get rid of this one? Maybe someone could give some basic instructions on editing the registry here regarding the Windows Error Page in Win98 (sorry for the old OS!).

See attached .txt file for the source code on this (see attached).

Attached Files


Edited by Cheyenne, 06 June 2004 - 07:35 AM.


#2 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 07 June 2004 - 08:13 PM

Let's see a Hijack This log.
Download Hijack This from http://mjc1.com/mirror/hjt/ Put the file in its own folder. Double click on the file to start the program. Press the"scan"button. Don't fix anything yet, because many entries are useful. When the scan finishes the scan button will change to save log. A notepad window will open. Copy and paste the whole log into a post. If you are unclear on how to do this, try clicking here
Rights are never important until you don't have them.

#3 Cheyenne

Cheyenne

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 12:08 AM

You guys are great! Sorry my response took so long.

Logfile of HijackThis v1.97.7
Scan saved at 2:49:47 AM, on 6/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACK_THIS\HIJACKTHIS.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=localhost:1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\cheyenne\prefs.js)
O1 - Hosts: ࡱ
O2 - BHO: (no name) - {3a5da05d-5b50-455d-93c9-51e76d76c1dc} - (no file)
O2 - BHO: (no name) - {5bf42dd1-94c6-41c9-9709-b3a37bd589e8} - (no file)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {BE324B5E-599D-4729-9592-2F1E3F3E201F} - C:\WINDOWS\ZYWNKQA.DLL
O2 - BHO: (no name) - {30E31074-077A-4D26-B083-835DBAE84D83} - C:\WINDOWS\FKUX.DLL
O2 - BHO: (no name) - {40E3D7F1-9227-4441-BF44-F9ECB10EA04E} - C:\WINDOWS\VGEW.DLL
O2 - BHO: (no name) - {FF0803C1-32C6-4212-8E16-767530D01E58} - C:\WINDOWS\RHGCV.DLL
O2 - BHO: (no name) - {3BF1C6FA-5975-4714-BB54-206547CAC2C0} - C:\WINDOWS\XIBUEUD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Search Using Copernic - Search Extension.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: Yahoo! Hearts - http://download.yaho...nts/y/hr1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7868.3726851852
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.co...aploader_v5.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...s/serialzip.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: cpcScanner - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = earthlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.120.83,207.217.77.82


I'd be interested in getting rid of as much as I could of this stuff -- even the yahoo games stuff. Whether this succeeds in getting rid of that Russian search tool bar -- that I'd like to see!

By the way, that roings stuff is eternal - I'd like to be rid of that. McAfee I no long have installed on my computer. I see the "funwebproducts," too -- yuck! iTunes I don't even use, Norton Symantec Systemworks and NAV I do use, and Google and the Earthlink Pop-Up blocker, but no other search engines (please). GetRight downloader I do use; Copernic and other language translators I no longer use.

ptsnoop is left over from an old OEM internal modem I no longer use; I use an external modem. ICQ shouldn't be on top of my browser, should it? cjb.net is "web redirection" - huh? And what business does crucial.com have with my browser? Can I take the QuickTime thingee off -- and the MarketBrowser, too -- and the Post Office -- even if I want to use them later? So many questions. . . .

But somehow I have not succeeded in installing a workable copy of Spybot Search & Destroy 1.3 on my computer. It simply _does not work_. I've tried installing and installing. Any help possible there? Possibly the registry is messed up somehow.

Do you see a mention of my original problem? I don't. And I'm beginning to think that this Russian 404 thingee is a registry problem, too.

Any help appreciated, and thanks -- in advance!! Just tell it to me straight.

Cheyenne

Edited by Cheyenne, 27 June 2004 - 02:13 AM.


#4 Cheyenne

Cheyenne

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 12:27 AM

By the way, I think that I found a possible Internet source for this Russian "404" Error page.

Try <http://vfl.ru/begun>

In fact I think I saw that URL flash on the bottom of my browser while a page was loading recently. It was a techie webpage. So maybe they do web ads, too?

Cheyenne

#5 Cheyenne

Cheyenne

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 02:08 AM

The Truth is finally coming out!!

I ran "Hijack This!" again [v.1.97.7], and -- lo and behold -- a new entry appeared:

O1 - Hosts: ࡱ

Does this help? That last final word is unreadable, of course.

I don't know why this entry didn't appear before. I did download a fresh copy of "Hijack This" - I'll admit to that. But I believe the version was still the same version of the software on 6/23 as on 6/27 [v.1.97.7].

Here is how the "Info on Selected Item..." button for <O1> on the "Hijack This!" scan log reads:

"A change in the 'Hosts' system file Windows uses to lookup domain names before quering [sic] internet DNS servers, effectively making Windows believe that 'auto.search.msn.com' has a different IP than it really has and thus making IE open the wrong page whenever you enter an invalid IP domain name in the IE address bar."

I had been running other adware programs (Ad-aware & Pest Patrol), of course, but my best explanation for the new <O1> line is that inbetween the two scan logs I had been fiddling with my HOSTS file(s). I changed the format of the HOSTS file to .txt and also to .doc before going back to the original HOSTS file format. For a while all HOSTS files were entirely removed from the WINDOWS file folder and saved elsewhere.

Then, after restoring the HOSTS file back into the WINDOWS file folder, I ran "Hijack This!" for the second time with a fresh downloaded copy, whereupon the <O1> entry appeared on the scan log for the first time.

This is interesting because it indicates that this '404' page hijack I am suffering from has the initial ability to obscure the changes made to the HOSTS file apparatus. A <O1> tag line may not appear at first. That's good to know!

In the future a '404' Hijack victim may need to change the format of the HOSTS file temporarily to .txt or .doc, and then remove the HOSTS from the WINDOWS folder, and then re-introduce it back into the WINDOWS folder before finally converting it back to HOSTS file format by removing the .txt or .doc end-tag.

I've subsequenly substituted the newer "Hijack This!" scan log over the older one (See post above).

Also, I also have scanned my registry for the CLSID: {B45FF030-4447-11D2-85DE-00C04FA35C89}.

I have found the three separate CLSID'S ending in a final -00C04FA35C89 string. The actual match I'll call 'CLSID #A':

HKEY_CLASSES_ROOT\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89}
[CLSID #A]

HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89}
[This is also CLSID #A, too -- the real McCoy.]

HKEY_CLASSES_ROOT\Interface\{1611FDDA-445B-11D2-85DE-00C04FA35C89}
[Let's call this CLSID #B - an incomplete CLSID matchup - except for the final string]

My Computer\HK_Classes_Root\SearchAssistantOC.SearchAssistantOC\CLSID
where the (Default) is: "{1611FDDA-445B-11D2-85DE-00C04FA35C89}"
[CLSID #B]

HKEY_CLASSES_ROOT\SearchAssistantOC.SearchAssistantOC.1\CLSID
where ALSO the (Default) is: "{1611FDDA-445B-11D2-85DE-00C04FA35C89}"
[CLSID #B]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
where 'b' is "{1611FDDA-445B-11D2-85DE-00C04FA35C89}"
[CLSID #B]

HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{429AF92C-A51F-11d2-861E-00C04FA35C89}
[Let's call this CLSID #C - yet another incomplete clsid matchup]

HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{1611FDDA-445B-11D2-85DE-00C04FA35C89}
[CLSID #B again]

Hope this isn't too much info to digest. Any help with the registry possible?

Cheyenne

Edited by Cheyenne, 28 June 2004 - 12:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button