Jump to content


Photo

CWS wont pick this up and It wont go away with HJT


  • Please log in to reply
3 replies to this topic

#1 Screaminghell

Screaminghell

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 June 2004 - 04:35 PM

My browser is being hijacked by "res://socna.dll/index.html#96676" but that ".dll" file gets regenerated. :unsure: Here is my HJT log but whenever I delete the bad files they are regenerated just like the about:blank problem, but I cannot get rid of this one :techsupport: also startup Monitor keeps asking if i want "msfx32.exe" (or something like that) of course i dont let it run but it keeps appearing. thank you so much in advance.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\socna.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://socna.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://socna.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\socna.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://socna.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\socna.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C88D1F4A-0570-A95A-9CF7-DE2D8831986E} - C:\WINDOWS\netpb.dll
O2 - BHO: (no name) - {D6036847-0CE9-CD98-8490-CBE09650BB49} - C:\WINDOWS\winna.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\Run: [Microsoft Update] SCVHOSTXP.exe
O4 - HKLM\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [Microsoft Update] SCVHOSTXP.exe
O4 - HKLM\..\RunServices: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - HKCU\..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKCU\..\Run: [Microsoft Update] SCVHOSTXP.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8146.6848726852

thanks again

Edited by Screaminghell, 14 June 2004 - 04:42 PM.


#2 fdell

fdell

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 05:34 PM

I think that the thing that you are missing is running fixdll. Here is the order that did it for me.

Run HJT and "fix" all of the R0 and R1 lines.

Then change your homepage manually in your Control Panel>Internet Options

Then run dllfix. That worked for me. At the first option, choose 2 for fix. At the second prompt, select 2. "fix without DLL name ..." and let it run. It will probably need to reboot and control your startup to get rid of the hidden .dll generating files.

After you are back up, check your homepage setting again in control panel, run Shredder one more time and then run Adware or Spybot S&D and then see if your browser stays hijack free. (I found Adware to be more effective. There is presently a bug in Spybot that gives my system false readings of DSO exploits. The Spybot folks are working on it but the patch isn't done yet.)

I am far from an expert, but that sequence worked for me with dealing with CWS search X

Make sure you have the software downloaded, unzipped and ready to go before you start this sequence if you haven't downloaded the programs already. dllfix was the silver bullet for me. Hope this helps!

#3 Screaminghell

Screaminghell

    Member

  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 03:06 PM

:techsupport: thanks for taking the time to help! After running fixdll, it removes a few things but then gives me the prompt "Error: The system was unable to find the specified registry key or values." and after rebooting everything is regenerated again. :techsupport:

#4 Screaminghell

Screaminghell

    Member

  • New Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 03:40 AM

also, after i delete all of the bad files and restore everything the bad files aren't regenerated until I get the pop titled "only the best" then i have a newly regenerated .dll files...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button