Jump to content


Photo

'Home Search' hijacked (HJT log)


  • Please log in to reply
5 replies to this topic

#1 all-thumbs

all-thumbs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 11:00 PM

Hi. I've run latest versions of Spybot and Adaware and can't kill this browser hijacker. The following log is what I get after removing the ROs and R1s that direct the browser to some weird "res://" address that results in a page titled Home Search. Constant popups, too.
I read the Hijack This tutorial and checked the codes against the posted logs, but couldn't find anything for the third O2 - BHO line, the one that starts with E34. Think that's the problem, or am I on the wrong track?
Greatly appreciate any advice. Thanks!


Logfile of HijackThis v1.97.7
Scan saved at 11:19:58 PM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\NETEW32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\NTBN32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {E34347DB-2F68-8CAE-6B5D-47FE6194EFA1} - C:\WINDOWS\SYSTEM\CRWA32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NTBN32.EXE] C:\WINDOWS\NTBN32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [NETEW32.EXE] C:\WINDOWS\NETEW32.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\Program Files\Sympatico\Communicator\Program\PLUGINS\NPQTW32.DLL

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 15 June 2004 - 02:18 AM

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\WINDOWS\NETEW32.EXE
C:\WINDOWS\NTBN32.EXE

Put a check next to these in hijackthis:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {E34347DB-2F68-8CAE-6B5D-47FE6194EFA1} - C:\WINDOWS\SYSTEM\CRWA32.DLL

O4 - HKLM\..\Run: [NTBN32.EXE] C:\WINDOWS\NTBN32.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE <---Optional not needed at startup and huge resource hog
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE <---Optional not needed at startup and huge resource hog

NOW WIITH ALL OTHER WINDOWS CLOSED ,press "Fix".


Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
C:\WINDOWS\NTBN32.EXE
C:\WINDOWS\NETEW32.EXE
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder b]IN[/b] temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


If you shut off fastfind; you have to make it stay off ..more HERE

Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

Then Reboot and post a fresh log back to this thread.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 all-thumbs

all-thumbs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 June 2004 - 08:05 PM

Thanks. Tried these suggestions, as much as I was able to, but no luck. Ran into a couple of obstacles:
1. Was unable to close Netew32 using control-alt-delete. Got this message: "The specified file is being used by Windows."
2. I can't find the Documents and Settings directory. I'm running Windows98 second ed. Is the above in Windows XP?

Again, very much appreciate your help. This seems like a very nasty hijacker. Following is my latest HJT.


Logfile of HijackThis v1.97.7
Scan saved at 8:47:06 PM, on 6/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\CROC.EXE
C:\WINDOWS\NETEW32.EXE
C:\WINDOWS\ATLWL.EXE
C:\WINDOWS\WINQY32.EXE
C:\WINDOWS\SYSTEM\SDKHF32.EXE
C:\WINDOWS\ATLXO32.EXE
C:\WINDOWS\SDKWX.EXE
C:\WINDOWS\APPEB.EXE
C:\WINDOWS\SYSTEM\IPYD.EXE
C:\WINDOWS\SYSTEM\IPPH32.EXE
C:\WINDOWS\SYSTEM\JAVAIS32.EXE
C:\WINDOWS\SYSTEM\D3VP32.EXE
C:\WINDOWS\IPUS.EXE
C:\WINDOWS\SYSTEM\JAVAYZ32.EXE
C:\WINDOWS\NETXM32.EXE
C:\WINDOWS\SYSTEM\APPOZ32.EXE
C:\WINDOWS\APPGJ.EXE
C:\WINDOWS\ADDSZ.EXE
C:\WINDOWS\IEMN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\CRWA32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\IPUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CRNZ32.EXE
C:\WINDOWS\IPUS.EXE
C:\WINDOWS\IPEP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qbten.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbten.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qbten.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qbten.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qbten.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qbten.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {6C948E70-AB84-E5AD-7F98-E364697B6224} - C:\WINDOWS\NTWL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CRWA32.EXE] C:\WINDOWS\SYSTEM\CRWA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [NETEW32.EXE] C:\WINDOWS\NETEW32.EXE
O4 - HKLM\..\RunServices: [WINQY32.EXE] C:\WINDOWS\WINQY32.EXE
O4 - HKLM\..\RunServices: [IPYD.EXE] C:\WINDOWS\SYSTEM\IPYD.EXE
O4 - HKLM\..\RunServices: [ATLXO32.EXE] C:\WINDOWS\ATLXO32.EXE
O4 - HKLM\..\RunServices: [APPEB.EXE] C:\WINDOWS\APPEB.EXE
O4 - HKLM\..\RunServices: [ATLWL.EXE] C:\WINDOWS\ATLWL.EXE
O4 - HKLM\..\RunServices: [IPPH32.EXE] C:\WINDOWS\SYSTEM\IPPH32.EXE
O4 - HKLM\..\RunServices: [CROC.EXE] C:\WINDOWS\SYSTEM\CROC.EXE
O4 - HKLM\..\RunServices: [SDKHF32.EXE] C:\WINDOWS\SYSTEM\SDKHF32.EXE
O4 - HKLM\..\RunServices: [SDKWX.EXE] C:\WINDOWS\SDKWX.EXE
O4 - HKLM\..\RunServices: [IPUS.EXE] C:\WINDOWS\IPUS.EXE
O4 - HKLM\..\RunServices: [JAVAIS32.EXE] C:\WINDOWS\SYSTEM\JAVAIS32.EXE
O4 - HKLM\..\RunServices: [D3VP32.EXE] C:\WINDOWS\SYSTEM\D3VP32.EXE
O4 - HKLM\..\RunServices: [JAVAYZ32.EXE] C:\WINDOWS\SYSTEM\JAVAYZ32.EXE
O4 - HKLM\..\RunServices: [NETXM32.EXE] C:\WINDOWS\NETXM32.EXE
O4 - HKLM\..\RunServices: [APPOZ32.EXE] C:\WINDOWS\SYSTEM\APPOZ32.EXE
O4 - HKLM\..\RunServices: [IEMN32.EXE] C:\WINDOWS\IEMN32.EXE
O4 - HKLM\..\RunServices: [APPGJ.EXE] C:\WINDOWS\APPGJ.EXE
O4 - HKLM\..\RunServices: [ADDSZ.EXE] C:\WINDOWS\ADDSZ.EXE
O4 - HKLM\..\RunServices: [CRNZ32.EXE] C:\WINDOWS\SYSTEM\CRNZ32.EXE
O4 - HKLM\..\RunServices: [IPEP.EXE] C:\WINDOWS\IPEP.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\Program Files\Sympatico\Communicator\Program\PLUGINS\NPQTW32.DLL

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 16 June 2004 - 05:17 AM

Firstly yes those instruction were designed for WinXP you won't have a documents and settings folder..my fault.
To empty your TIF go to control panel>Internet Options>General(tab)>Delete Files(button)>check box to delete all offline content.>OK...

Were you able to do an online virus scan at links provided?? You seem to be fairy infested w/ virus and/or trojans.
I also see no sign of a resident virus scanner. If it's deactivated....start it back up....if you don't have one; you really need to get one. AVG is a good one and it's FREE. See more here.
Also get Trojan Hunter (trial-30day) from here

Please try these step then give me new log and we will concentrate on C:\WINDOWS\qbten.dll/sp.html#96676 problem.

Edited by jwbirdsong, 16 June 2004 - 05:29 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#5 XenoX

XenoX

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 05:27 AM

see this post and this post for relevant information.

#6 all-thumbs

all-thumbs

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 16 June 2004 - 09:57 PM

Right -- the machine was completely infected, and just kept getting worse. I think there was a virus in there as well as the trojan. Reason it wasn't protected was because it was a homework computer that normally got little online use. A lesson for me!

So I'm wiping it and upgrading to XP. and you can bet there'll be a virus scanner. Thanks again for your help -- keep up the good work!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button