Jump to content


Photo

Url Searchhook


  • Please log in to reply
7 replies to this topic

#1 Castle4kq

Castle4kq

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 14 June 2004 - 07:10 PM

My computer has the urlseachhook infection. I tried CWShredder but it didn't work. Everytime I go into Hijack This to delete it, it just comes back. Any ideas???

Logfile of HijackThis v1.97.7
Scan saved at 8:06:35 PM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7921.3589814815
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://nugs.net/dev/dlControl.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 microbug

microbug

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 08:38 PM

try all process in safe mode....it might work with system restore off.

#3 Castle4kq

Castle4kq

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 June 2004 - 12:47 AM

I'll try that, thanks!

#4 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 15 June 2004 - 05:15 AM

Castle4kq and microbug, Please see http://www.spywarein...p?showtopic=148

Castle4kq,

Download: "StartDreck", from here:
http://www.niksoft.a.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.

Edited by Scoff, 15 June 2004 - 05:02 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#5 Castle4kq

Castle4kq

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 16 June 2004 - 10:37 AM

Scoff,

Here is the Startdreck log.

StartDreck (build 2.1.5 public BETA) - 2004-06-16 @ 11:35:16
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*TV Media=C:\TV MEDIA\TVM.EXE
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
聞efault User
舞un
*TV Media=C:\TV MEDIA\TVM.EXE
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*TV Media=C:\TV MEDIA\TVM.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
舞unServices
舞unServicesOnce
**szb=rundll32 C:\WINDOWS\SYSTEM\KBDFG.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCFC93D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF891D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF848D=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE378D=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFEDA09=C:\WINDOWS\RUNDLL32.EXE
*FFFD54A5=C:\WINDOWS\EXPLORER.EXE
*FFFDD969=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD87D9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFAD181=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF94C6D=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFE93AD=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFB29B9=C:\PROGRAM FILES\HIJACK THIS\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#6 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 16 June 2004 - 03:40 PM

Download: "Win98Fix.zip" from here:
http://www10.brinkst...last/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to C:\WINDOWS\SYSTEM\KBDFG.DLL
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)

Make sure you have the latest version of CWShredder (v1.59), open it and hit update or download CWShredder from here, run the program, select 'fix' (not scan only) and let it fix everything that it finds.

Download Spybot Search and Destroy from here. Install the program, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, make sure all the items in RED are ticked, then click the Fix Selected Problems button. Screenshot instructions for installation and setup are here if needed.

Download Adaware from here. Install the program, launch it and configure it as follows. Screenshot instructions for setup are here if needed.
  • In the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.
  • Make sure the following settings are made and on (ON = GREEN)
  • From main window : Click Start then Activate in-depth scan (recommended)
  • Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
  • Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.
  • Click Proceed to save your settings. Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Reboot and post a fresh log, there is more to clean up!

Edited by Scoff, 16 June 2004 - 04:14 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#7 Castle4kq

Castle4kq

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 04:49 PM

Scoff, thanks for all your help so far. Here is the latest startdreck.

StartDreck (build 2.1.5 public BETA) - 2004-06-28 @ 17:49:07
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
*TV Media=C:\TV MEDIA\TVM.EXE
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
聞efault User
舞un
*TV Media=C:\TV MEDIA\TVM.EXE
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*TV Media=C:\TV MEDIA\TVM.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
*TV Media=C:\TV MEDIA\TVM.EXE
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
*.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
*.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
*.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
*.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*BHO.IncrediFindBHO.1/{5D60FF48-95BE-4956-B4C6-6BB168A70310}
`InprocServer32=C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
肇iles
翠utostart Folders
翟urrent User
聞efault User
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\wininit.bak
艋ystem/Drivers
舞unning Processes
*FFCF02A3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF4283=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF4F13=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFEA803=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFED63F=C:\WINDOWS\EXPLORER.EXE
*FFFDA2D7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD1B3F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFBA84B=C:\WINDOWS\NOTEPAD.EXE
*FFFECCBF=C:\PROGRAM FILES\HIJACK THIS\STARTDRECK\STARTDRECK.EXE
臧T Services
翠pplication specific

#8 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 28 June 2004 - 05:07 PM

It looks like CWS has gone. Can you post a new hijack this log as well to double check what else needs to be cleaned.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button