• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
all-thumbs

'Home Search' hijacked (HJT log)

6 posts in this topic

Hi. I've run latest versions of Spybot and Adaware and can't kill this browser hijacker. The following log is what I get after removing the ROs and R1s that direct the browser to some weird "res://" address that results in a page titled Home Search. Constant popups, too.

I read the Hijack This tutorial and checked the codes against the posted logs, but couldn't find anything for the third O2 - BHO line, the one that starts with E34. Think that's the problem, or am I on the wrong track?

Greatly appreciate any advice. Thanks!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:19:58 PM, on 6/14/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\NETEW32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\NTBN32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll (file missing)

O2 - BHO: (no name) - {E34347DB-2F68-8CAE-6B5D-47FE6194EFA1} - C:\WINDOWS\SYSTEM\CRWA32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [NTBN32.EXE] C:\WINDOWS\NTBN32.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [NETEW32.EXE] C:\WINDOWS\NETEW32.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\Program Files\Sympatico\Communicator\Program\PLUGINS\NPQTW32.DLL

Share this post


Link to post
Share on other sites

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present

C:\WINDOWS\NETEW32.EXE

C:\WINDOWS\NTBN32.EXE

 

Put a check next to these in hijackthis:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll (file missing)

O2 - BHO: (no name) - {E34347DB-2F68-8CAE-6B5D-47FE6194EFA1} - C:\WINDOWS\SYSTEM\CRWA32.DLL

 

O4 - HKLM\..\Run: [NTBN32.EXE] C:\WINDOWS\NTBN32.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE <---Optional not needed at startup and huge resource hog

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE <---Optional not needed at startup and huge resource hog

 

NOW WIITH ALL OTHER WINDOWS CLOSED ,press "Fix".

 

 

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-

C:\WINDOWS\NTBN32.EXE

C:\WINDOWS\NETEW32.EXE

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder b]IN[/b] temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"

 

If you shut off fastfind; you have to make it stay off ..more HERE

 

Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

 

Then Reboot and post a fresh log back to this thread.

Share this post


Link to post
Share on other sites

Thanks. Tried these suggestions, as much as I was able to, but no luck. Ran into a couple of obstacles:

1. Was unable to close Netew32 using control-alt-delete. Got this message: "The specified file is being used by Windows."

2. I can't find the Documents and Settings directory. I'm running Windows98 second ed. Is the above in Windows XP?

 

Again, very much appreciate your help. This seems like a very nasty hijacker. Following is my latest HJT.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:47:06 PM, on 6/15/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\CROC.EXE

C:\WINDOWS\NETEW32.EXE

C:\WINDOWS\ATLWL.EXE

C:\WINDOWS\WINQY32.EXE

C:\WINDOWS\SYSTEM\SDKHF32.EXE

C:\WINDOWS\ATLXO32.EXE

C:\WINDOWS\SDKWX.EXE

C:\WINDOWS\APPEB.EXE

C:\WINDOWS\SYSTEM\IPYD.EXE

C:\WINDOWS\SYSTEM\IPPH32.EXE

C:\WINDOWS\SYSTEM\JAVAIS32.EXE

C:\WINDOWS\SYSTEM\D3VP32.EXE

C:\WINDOWS\IPUS.EXE

C:\WINDOWS\SYSTEM\JAVAYZ32.EXE

C:\WINDOWS\NETXM32.EXE

C:\WINDOWS\SYSTEM\APPOZ32.EXE

C:\WINDOWS\APPGJ.EXE

C:\WINDOWS\ADDSZ.EXE

C:\WINDOWS\IEMN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\CRWA32.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\IPUS.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\CRNZ32.EXE

C:\WINDOWS\IPUS.EXE

C:\WINDOWS\IPEP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qbten.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbten.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbten.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qbten.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qbten.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qbten.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {6C948E70-AB84-E5AD-7F98-E364697B6224} - C:\WINDOWS\NTWL.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [CRWA32.EXE] C:\WINDOWS\SYSTEM\CRWA32.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [NETEW32.EXE] C:\WINDOWS\NETEW32.EXE

O4 - HKLM\..\RunServices: [WINQY32.EXE] C:\WINDOWS\WINQY32.EXE

O4 - HKLM\..\RunServices: [iPYD.EXE] C:\WINDOWS\SYSTEM\IPYD.EXE

O4 - HKLM\..\RunServices: [ATLXO32.EXE] C:\WINDOWS\ATLXO32.EXE

O4 - HKLM\..\RunServices: [APPEB.EXE] C:\WINDOWS\APPEB.EXE

O4 - HKLM\..\RunServices: [ATLWL.EXE] C:\WINDOWS\ATLWL.EXE

O4 - HKLM\..\RunServices: [iPPH32.EXE] C:\WINDOWS\SYSTEM\IPPH32.EXE

O4 - HKLM\..\RunServices: [CROC.EXE] C:\WINDOWS\SYSTEM\CROC.EXE

O4 - HKLM\..\RunServices: [sDKHF32.EXE] C:\WINDOWS\SYSTEM\SDKHF32.EXE

O4 - HKLM\..\RunServices: [sDKWX.EXE] C:\WINDOWS\SDKWX.EXE

O4 - HKLM\..\RunServices: [iPUS.EXE] C:\WINDOWS\IPUS.EXE

O4 - HKLM\..\RunServices: [JAVAIS32.EXE] C:\WINDOWS\SYSTEM\JAVAIS32.EXE

O4 - HKLM\..\RunServices: [D3VP32.EXE] C:\WINDOWS\SYSTEM\D3VP32.EXE

O4 - HKLM\..\RunServices: [JAVAYZ32.EXE] C:\WINDOWS\SYSTEM\JAVAYZ32.EXE

O4 - HKLM\..\RunServices: [NETXM32.EXE] C:\WINDOWS\NETXM32.EXE

O4 - HKLM\..\RunServices: [APPOZ32.EXE] C:\WINDOWS\SYSTEM\APPOZ32.EXE

O4 - HKLM\..\RunServices: [iEMN32.EXE] C:\WINDOWS\IEMN32.EXE

O4 - HKLM\..\RunServices: [APPGJ.EXE] C:\WINDOWS\APPGJ.EXE

O4 - HKLM\..\RunServices: [ADDSZ.EXE] C:\WINDOWS\ADDSZ.EXE

O4 - HKLM\..\RunServices: [CRNZ32.EXE] C:\WINDOWS\SYSTEM\CRNZ32.EXE

O4 - HKLM\..\RunServices: [iPEP.EXE] C:\WINDOWS\IPEP.EXE

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\Program Files\Sympatico\Communicator\Program\PLUGINS\NPQTW32.DLL

Share this post


Link to post
Share on other sites

Firstly yes those instruction were designed for WinXP you won't have a documents and settings folder..my fault.

To empty your TIF go to control panel>Internet Options>General(tab)>Delete Files(button)>check box to delete all offline content.>OK...

 

Were you able to do an online virus scan at links provided?? You seem to be fairy infested w/ virus and/or trojans.

I also see no sign of a resident virus scanner. If it's deactivated....start it back up....if you don't have one; you really need to get one. AVG is a good one and it's FREE. See more here.

Also get Trojan Hunter (trial-30day) from here

 

Please try these step then give me new log and we will concentrate on C:\WINDOWS\qbten.dll/sp.html#96676 problem.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Right -- the machine was completely infected, and just kept getting worse. I think there was a virus in there as well as the trojan. Reason it wasn't protected was because it was a homework computer that normally got little online use. A lesson for me!

 

So I'm wiping it and upgrading to XP. and you can bet there'll be a virus scanner. Thanks again for your help -- keep up the good work!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0