• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
spaceace13

new type of hijacker? Please help

5 posts in this topic

I think I have stumbled on a new variant of the Coolweb search or lookthru.cc hijacker. I have run the newest versions of spy-bot, CWshredder, and the updated trial version of trojan hunter. both cw shredder and spybot came up clean. There were a few questionable items in trojan hunter. My home page in IE is always redirected to

 

res://scyxm.dll/url_error.html#

 

if i miss type a url or forget the www. I am automatically redirected to a page titled WINDOWS HELP CENTER with a variety of search options. The url is what appears above with what ever website I was attempting to go to after the #.

 

Below is my hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:28:15 PM, on 6/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

C:\WINDOWS\javagb.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\syslc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Nancy\Local Settings\Temporary Internet Files\Content.IE5\5CWF594T\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scyxm.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://scyxm.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://scyxm.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\scyxm.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://scyxm.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\scyxm.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://192.168.1.1/

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Nancy\Application Data\Mozilla\Profiles\default\y84uwxyp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nancy\Application Data\Mozilla\Profiles\default\y84uwxyp.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {708C8B10-3987-7E41-9F01-070C226FA765} - C:\WINDOWS\system32\javaer32.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

O4 - HKLM\..\Run: [javagb.exe] C:\WINDOWS\javagb.exe

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/02b5e256b5c5ba32f504/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7684.4844791667

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://wbt.applieduniversity.com/wintam/In...aDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

I would appreciate any help with this.

 

Thank you.

Share this post


Link to post
Share on other sites

ok, try this:

 

As this is a relativly new and difficult infection to clean.. I suspect that the DLL I am looking for is hidden very well and you need the DLLFIX.. So please try this for me..

 

Download the file from

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

and save it in a place you like.

 

The file when downloaded will be dllfix.exe.

 

Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

 

Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

 

Run start.bat and you should get a screen with options.

Run the Option 1. for report. Which when run will have a purple screen.

 

Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it. You will see there is a random dll named there if found. If you are not sure Post the log for Expert View.

 

NOW:

Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu. The sub-menu should be another box with options in it. It's probably green to.

 

Option 1 -- > is if you found the dllname that is locked or in the appinit key.

Option 2 -- > is for if you can't find the dllname.

 

It will reboot in 15 seconds.

 

If you are still unsure, Post your query here for Expert View.

 

If you know the file name, Reboot & There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

 

Reboot and Download ADAWARE. Check for updates. Then Run the update Ad-aware.

 

Reboot. Run HijackThis and save the fresh log.

 

THEN: Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log here in this thread.. well take it from there

Share this post


Link to post
Share on other sites

Hi. I installed dllfix.exe and ran it. It did not find any files and gave me an error message: the system was unable to find specific registry key or value.

WHen I ran it again and choose option 2 it kept repeating the same error message over and over. It never rebooted. Below is the text log:

 

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Tue 06/15/2004

06:28 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (0355:14F9) - FS:FAT clusters:32k

Total: 40 006 156 288 [37G] - Free: 32 922 927 104 [31G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

*Media Player version :

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q83

009;Q831167;

 

 

 

Locked or 'Suspect' file(s) found...

These may be other files that Dllfix doesnt target.

If not file is listed than Dllfix may not Help.

in this case please post the contents of Windows.txt to the appinit

entry can be checked. You will find it in the dllfix folder after findall completes.

 

 

Scanning for main Hijacker:

 

 

Dllfix must have the Hijackerfiles in system32 to fix properly.

If there are no protocal keys text/html and text/plain

then dllfix may not work. This fix targets this type Hijack Entry.

that keeps reoccuring with different filenames.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page

= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{708C8B10-3987-7E41-9F01-070C226FA765}]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

If error than registry may need to be restored from option 4.

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

 

2 - The system cannot find the file specified.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0