• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
klingsor

Search.x keeps reappearing

4 posts in this topic

Hi,

 

First of all, any help is appreciated. I've been struggling with this for over a week now. From what I can gather I have search.x but CWS shredder can't remove it completely. It removes it at first but then it re-appears after some time, usually a reboot. It redirects the homepage in IE to about.blank and from there to some sort of search page (it isn't a yellowpages search page though).

 

Below is the log file from the cleaned up version. I can't see anything so that leads me to believe I'm dealing with something else. I've read on the main page that sometimes the yellowpages version is coupled with search.x and that it prevents a proper removal. I tried to remove yellowpages variety manually but the offending file doesn't seem to be there. When I follow the instructions, there is no winajbm file to remove.

 

So.... what should I do here? search.x comes back after a reboot, cws removes it and then it comes back again on reboot.

 

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\atievxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\audiograbber\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myduke.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

Share this post


Link to post
Share on other sites

Klingsor

 

Could you download dllfix and unzip it to a folder (the download is a selfunzipper). Run Start.bat by doubleclicking it.

Choose option 1 (Find All). It will produce a textfile.

Please post the textfile here.

 

The offending file is not always called 'winajbm.dll', but appears with a random filename.

 

PS Are you sure you posted the whole Hijack This log?

Did you recently empty the 'C:\Windows\Downloaded Program Files' folder?

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

Hi,

 

thanks a lot for the assistance. Okay, I ran the program and here is the text printout. I'm not sure what to look for. Once again, this is very much appreciated.

 

-------------

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (1816:164B) - FS:FAT clusters:4k

Total: 5 987 868 672 [5.6G] - Free: 1 848 500 224 [1.7G]

 

 

*IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

*Media Player version :

8.0.0.4477 C:\Program Files\Windows Media Player\wmplayer.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 

 

 

Locked or 'Suspect' file(s) found...

These may be other files that Dllfix doesnt target.

If not file is listed than Dllfix may not Help.

in this case please post the contents of Windows.txt to the appinit

entry can be checked. You will find it in the dllfix folder after findall completes.

\\?\C:\WINDOWS\System32\RESMKI.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESMKI.DLL +++ File read error

 

 

Scanning for main Hijacker:

File found was C:\WINDOWS\System32\LHGPD.DLL

Md5 tested As C87354D67A8B9828F483C6F90C496972

 

known baddies that dllfix targets are:

0758CF635DF08AC381962F74832B6484

C87354D67A8B9828F483C6F90C496972

4E24A18F3A557AF479219E47E27B8B59

 

 

Dllfix must have the Hijackerfiles in system32 to fix properly.

If there are no protocal keys text/html and text/plain

then dllfix may not work. This fix targets this type Hijack Entry.

that keeps reoccuring with different filenames.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page

= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

If error than registry may need to be restored from option 4.

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Share this post


Link to post
Share on other sites

Klingsor

 

Please download UnrealCW and unzip it to a folder.

 

Close all browser windows (first print this post).

Then run start.bat once more, but now choose option 2 (Run Fix),

then choose option 1 (Enter the DLL manually).

You will see the sentence: 'Enter full name and hit Enter C:\Windows\System32\'

At the end of the sentence at the red cursor type 'LHGPD.DLL' (without quotes and no spaces in front of it) and hit the Enter key.

You will see a message 'Restart in 14 seconds'. Let the reboot go on.

During reboot you will see a DOS window. Folder C:\Windows\System32 is scanned in two passes.

 

When the boot is completed please post a new Find All result (Start.bat option 1) plus the log.txt as well as the windows.txt you will find in the dllfix folder.

_______

Wiskonst

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0