Jump to content


Photo

IE Start page infected


  • Please log in to reply
13 replies to this topic

#1 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 09 June 2004 - 10:45 AM

I have recently just rid myself of a variant of about:blank but now i'm reinfected but this time it's worse. MUCH worse.

Intially AVG virus checker alerted me to trojan virus. (i can't remember the name of it now as i'm at work and my home cpu does let me go online now!) It appears it infected the IE Start up. I ran AVG to check for infected files it found 9 and remedied them. I've also tried all the regular methods of ridding yourself of hijacking: CW Shredder, HijAck this (using my primitive knowledge of it eg deleteing susipicous items) but now the problem seems worse. This is what happens..

The CPU boots up and when i try to open IE browers the message comes up saying there has been an unknown error in Internet explorer and will now close. But it does'nt end there. This error message is then repeated for the all programs running on my desktop eventually ending with just a cyan screen and nothing else! I can shut down from there. Even when i open 'my computer' is it starts this chain of close down

What is going on? I will try and post my hijack log if i can get my home CPU online

PLEASE HELP!!
I'm running Windows Me btw

Edited by Maff, 10 June 2004 - 08:20 AM.


#2 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 09 June 2004 - 01:12 PM

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 19:18:33, on 09/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\LOGON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NTL\BROADBAND MEDIC\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QMIN\LMMALEIQ.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\NTL\BROADBAND MEDIC\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Startup: LimeWire 4.0.4.lnk = C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe

#3 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 03:28 AM

Bump!

BTW The virus is called CWS smartsearch2

Edited by Maff, 10 June 2004 - 03:35 AM.


#4 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 05:13 AM

bump!

Edited by Maff, 10 June 2004 - 09:05 AM.


#5 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 08:15 AM

Bump

#6 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 09:06 AM

bump.

#7 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 10:19 AM

hmm bump!

Edited by Maff, 10 June 2004 - 10:47 AM.


#8 rockfly

rockfly

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 10 June 2004 - 12:15 PM

I have a similar problem, someone help this guy!

#9 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 03:44 AM

Thanks for your support Rockfly! I did get exicted for a moment when i saw someone had replied (thinking it was an expert!!) Still, nice to know you not being completely ignored :D

Another day another bump! ;)

#10 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 08:57 AM

Blimey it was on page 3 already! I only only bumped a few hours ago!

#11 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 09:58 AM

bump

#12 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 11 June 2004 - 10:12 AM

homepage hijacker:

C:\WINDOWS\SYSTEM\LOGON.EXE

dont need:

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE

this process doesn't look too good i would take it out:

C:\WINDOWS\SYSTEM\QMIN\LMMALEIQ.EXE

i dont know if this is your homepage but i dont see why it's not just msn.com, the second entry can go...i would suggest the google toolbar google toolbar

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL


these can go:

O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

it ihnk this has to do with the process for hijacking:

O4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exe

dont use limewire it's horrible..if you want to use any of those retarded P2P thigns use kazza lite k++ but you'll have to dig to find it in the internet:

O4 - Startup: LimeWire 4.0.4.lnk = C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe

if your infected with cws go to my signature and run adaware spybot and most importantly cwshredder which should get rid of cws.

hope this helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#13 Maff

Maff

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 10:44 AM

Many thanks for the reply Rob! Much appreciated.
Okay i'll get rid of all what you suggested.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

My homepage (was) the BBC homepage so no, i wont need that!

I think my file sharing days are over!! Limewire...GONE!

I think this virus tried to infect CW Shredder when i opened it initially. It created a random string of text to stop it.
I will also try adaware spybot. shall i post a new log of this?

Massive thanks again Rob. :thumbsup:

#14 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 11 June 2004 - 11:11 PM

dont use limewire it's horrible..if you want to use any of those retarded P2P thigns use kazza lite k++ but you'll have to dig to find it in the internet:

This is an incredibly bad suggestion... Not only is KazaaLite cracked software, it also puts you into the Kazaa network that is riddled with malware... It is one of the main reasons this forum is so busy... If you want to do file sharing, please look here:

http://www.spywarein...m/articles/p2p/

Also, please note that caruch6392 has been making a large number of errors... if you have any more problems, please post back with a fresh log and details....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button