• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Atlantamanta

PLEASE HELP with search hijacker

4 posts in this topic

Ran AdAware and visited the FAQ. My HiJack This logfile is below.

Spyware opens my browser to a search page; many links on web

pages are also misdirected to the same or similar search "service".

 

Thanks!!

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 3:21:02 PM, on 6/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\addfp32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\ktchnsnk.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\apicl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ACT\SideACT.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Documents and Settings\"NAME"\My Documents\DOWNLOADS\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bjqgx.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bjqgx.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bjqgx.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {284475B9-A34F-FFA4-13BD-47555649B85F} - C:\WINDOWS\mfcor32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 600] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 600\Install"

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [apicl.exe] C:\WINDOWS\apicl.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: SideStep (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

=== Remove CWS sp.html/#nnnnn exploit ===

This is actually a new variant of CWS which is not resolved by current methods.

 

Please take the following steps:

 

First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

IMPORTANT Be sure all browser and explorer windows are closed.

 

Using the Task Manager end the task on the following processes:

C:\WINDOWS\system32\addfp32.exe

C:\WINDOWS\apicl.exe

 

Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.

Scroll down and find the service called "Network Security Service".

When you find it, double-click on it.

In the next window that opens, click the Stop button, then change the Startup Type to Disabled.

Now hit Apply and then OK and close any open windows.

 

 

Run HijackThis and place a check mark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bjqgx.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bjqgx.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bjqgx.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bjqgx.dll/sp.html#37049

 

O2 - BHO: (no name) - {284475B9-A34F-FFA4-13BD-47555649B85F} - C:\WINDOWS\mfcor32.dll

 

O4 - HKLM\..\Run: [apicl.exe] C:\WINDOWS\apicl.exe

O4 - Startup: PowerReg SchedulerV2.exe

 

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab

 

Press 'Fix Checked'.

 

Exit HiJackThis.

 

Reboot into Safe Mode* and delete the following files:

C:\WINDOWS\system32\addfp32.exe

C:\WINDOWS\apicl.exe

C:\WINDOWS\system32\bjqgx.dll

C:\WINDOWS\mfcor32.dll

 

 

While still in Safe Mode* finish the cleanup process, please run through the rest of these steps:

 

Go to Start -->Run and type Regedit then click Ok.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

 

__NS_Service

__NS_Service_2

__NS_Service_3

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

and highlight Root in the Left Pane. In the right pane, look for these entries:

 

LEGACY___NS_Service

LEGACY___NS_Service_2

LEGACY___NS_Service_3

 

If you find it, right-click it in the right-pane and choose delete.

 

Exit regedit, boot in Normal Mode.

 

 

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip

Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

 

Download the latest version of Adaware (get the free edition)

http://www.lavasoft.de/software/adaware/

(choose download from the lefthand menu)

 

Go to: Select Full Install and choose the download location of your choice (1.7mb)

Choose Download from http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

 

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

 

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # :01R321 19.06.2004 or higher listed.

 

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives

Scan my IE Favorites for banned URLS

Scan my hosts file

 

Then click *proceed* to save settings.

 

Click on *Tweak* next. And checkmark to make this green also:

Automatically try to unregister objects prior to deletion

 

Click on *proceed*

 

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

 

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

 

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

 

Run HiJackThis and post a new log in this thread.

 

 

 

* How to Boot into Safe Mode:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406

=== End CWS sp.html/#nnnnn fix ===

Share this post


Link to post
Share on other sites

Ran HiJack This and followed the steps.

 

Could not boot into Safe Mode- password rejected. Not sure why,

and can't remember if I've used SM on this PC before. It is a

non-networked corporate PC, so could there be a password set

by an admin?

 

Thanks for the help.

 

 

EDIT:

Could not find and disable addfp32.exe using the Task Manager...

Edited by Atlantamanta

Share this post


Link to post
Share on other sites

Quite pssibly there is a password and unfortunately, we need to be in safe mode to completely remove the infection.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0