Jump to content


Photo

difficult hijacked browser - can't remove


  • Please log in to reply
4 replies to this topic

#1 VLAGrp

VLAGrp

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 12:25 PM

Hi:

I read through the FAQ
I have been using (and contributed to Spybot S & D) for over a year, and all updates are current.
Also just tried HijackThis and although it identified the problem (and removed it), it seems to reappear.
Essetially, whenever I launch an IE browser window (IE V6.0 for a PC), my home page redirects to a search portal.

Help!

Thank you in advance!

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 June 2004 - 01:28 PM

We need a closer look at what's happening.
Please post your Hijack this log into a reply here.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 VLAGrp

VLAGrp

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 June 2004 - 01:40 PM

Hi Dave:

Here is my log file. Per someone's initial instructions, I have not modified in any way.

Thanks!

___________________________________

Logfile of HijackThis v1.97.7
Scan saved at 2:38:59 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Venturi182\venturi.exe
C:\Program Files\Venturi182\jre\bin\jrew.exe
C:\PROGRA~1\NORTON~3\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karl_enhanced\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jackmorton.com/secure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Karl_enhanced\Application Data\urod.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Venturi.lnk = C:\Program Files\Venturi182\venturi.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?error=
O16 - DPF: HPVC component - http://vrm04.win2000...onent401131.cab
O16 - DPF: HPVC resources - http://vrm04.win2000...ources40147.cab
O16 - DPF: HPVC signed - http://vrm04.win2000...signed40139.cab
O16 - DPF: HPVC support - http://vrm04.win2000...support4016.cab
O16 - DPF: HPVC vminfo - http://vrm04.win2000...ents/vminfo.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ilink.jackmo....com/iNotes.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqpc.com/.../printQuick.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.c...Q/bin/WebIQ.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7585.3375810185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 baloghg

baloghg

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 07:53 PM

Hi,
I hope, it may help for the general solution:
I had the same problem with http://bigbr.cc and a redirection... (I tried the ad-aware. spybot and CWShredder with no success.
Finally I found some new files in system32 and removed them:
cidft.dll 766
cidpoq32.dll 766
gupd.dll 766
icnfe.dll 766
icqrt.dll 766
icvbr.dll 766
msbar.exe 187 357
mtjpgb.dll 34
mtjpgh.dll 17 637
mtwirl.dll 15 360
nthst32.dll 2
sdfup.dll 766
wecxg32.dll 766
xcwer32.dll 766
zxmsn.dll 766
And the Notepad.exe was changed, I replaced with the correct one using http://www.spywarein...n/winfiles.html
and the problem did not reappear.

#5 baloghg

baloghg

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 June 2004 - 03:18 AM

Sorry,
these were only the secondary dll-s.
I found the primary based on topic:
Browser Hijacked by CWS - 'OLDHomeSP', Advice needed on 'OLDHomeSP' Removal
and removed using Archon Wing`s (thanks!!) instructions (Jun 20 2004, 09:45 PM )
Logefg.dll
Security
File permission:
Everyone Special access R W X D P O not checked
In the case of reappearence, I open a new topic...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button