Jump to content


Photo

browser hijacked by your-searcher.com


  • Please log in to reply
4 replies to this topic

#1 06jh20

06jh20

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 09:54 AM

Hello everyone!! I have been here before as jdh20 but had to re-register as 06jh20. I am familiar with this great board and have received excellent help in the past. Any help again would be greatly appreciated. I was just hijacked by your-searcher.com. I have already run the latest version of CoolWebShredder and listed below is the hijackthis log. I already went through and fixed anything that had your-searcher.com in it. The funny part about the hijackthis is that it now creates backup files right on my desktop.

Logfile of HijackThis v1.97.7
Scan saved at 10:51:24 AM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\windows\cvchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AutoCAD LT 97\aclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\josh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\josh\Application Data\winci\winci.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common Files\submit.exe"
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\DOCUME~1\josh\APPLIC~1\winci\winci.dll,UpdateDll s
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

#2 06jh20

06jh20

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 02:34 PM

I forgot that I also ran SpyBot and fixed all of the errors but I am still having the same problem with my browser.....I am also getting a bunch of pop-ups now.

#3 06jh20

06jh20

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 14 June 2004 - 06:02 AM

Someone please help....This is my work computer. Things have really slowed down, especially the web. Any help is greatly appreciated.

#4 Mokkers

Mokkers

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 July 2004 - 09:05 PM

What you have is a variation on the searchx hijack. Two DLLs get copied to your PC but one of them is hidden ... so while you can keep deleting the one you see the problem never goes away. Here are the steps that should get the problem fixed.

1) Download and install Registrar Lite

2) Do a search of your PC for DLLs from the date the problem occurred forward. The rogue DLL will be 30kb in size, and there may be more than one. I can give you names but it won't help because every time the DLL is created it has a different name. These are the CLSIDs that I found

HKEY_CLASSES_ROOT\CLSID\{26450096-4E19-4A79-867D-806B79D6C020}

HKEY_CLASSES_ROOT\CLSID\{63DB33EF-4EC5-47E4-851B-752F6194832D}

HKEY_CLASSES_ROOT\CLSID\{6D43F233-ECDD-4EB3-B134-35A04B017BAC}

HKEY_CLASSES_ROOT\CLSID\{6D6CD0CF-EBDA-4AD3-9B11-728EC44DAB2D}

HKEY_CLASSES_ROOT\CLSID\{76D627D1-1E9E-4FDD-8535-F55033CE6B2C}

3) Once you locate the DLL(s) you need to do a registry search using RegEdit and delete ALL CLSIDs associated with the DLLs.

4) Open Registrar Lite and go to ..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

You will see a key named AppInit_DLLs. Even though there doesn't appear to be a value there really is. Double-click on the key to display the properties. At the bottom you will see a value, which is a path to the hidden DLL. In my case the name of the DLL was WINCI.DLL.

DELETE that entry for the key.

5) Reboot your PC and go into safe mode. The hidden DLL (WINCI.DLL) should now be visible. Delete that DLL and the DLL(s) you had located earlier.

NOTE:

It may be that before you remove the AppInit_DLLs key value that you first rename HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows2, then after rebooting and removing the DLLs go back and rename it to the original name.

Edited by Mokkers, 03 July 2004 - 09:06 PM.


#5 Mokkers

Mokkers

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 July 2004 - 09:13 PM

Oh yeah ... one more thing.

What I wouldn't give to have a baseball bat and be in a locked room with the people who write this crap.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button