Jump to content


Photo

jksearch.biz -- Hijack


  • This topic is locked This topic is locked
11 replies to this topic

#1 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 May 2004 - 01:05 PM

My Internet Explorer homepage has been hijacked!

What can I do?

Here's my HiJack This Log:


Logfile of HijackThis v1.97.7
Scan saved at 1:58:38 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nytimes.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program

Files\CUA\HFIER10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program

Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) -

http://www.lotrdvd.c...TTT/lotrttt.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macr...ector/swdir.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) -

http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -

http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.napster.c...ient/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -

http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

http://install.wildt...ler/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) -

http://microsoft.com...ols/DoomChk.CAB

#2 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 May 2004 - 01:11 PM

I should also add that I tried Ad-Aware, Spybot, & cwshredder, bu no dice.

#3 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 19 May 2004 - 02:17 PM

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

When you have done that, please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]


hit save as
give it the name clear.reg
under the filename set file types to all files.
save it to the desktop.

After done double click the clear.reg
when asked to merge say yes

reboot

then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.

If you don't want the MyWay bar then go to add/remove programs and see if you can unistall it..... if you do want it then omit it from the following fix

Run hijackthis and make sure all browsers and windows are closed except for hijackthis, put a check against the following and click 'fix checked'

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
Files\MyWay\myBar\1.bin\MYBAR.DLL

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
http://install.wildt...ler/install.cab

You can also fix this if you wish, it isn't bad as such but is a resource hog and is not needed in start up.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Reboot and go straight to windows update to download SP1 and any other critical updates that you are missing.

Then post a fresh hijack log.

Edited by nellie2, 19 May 2004 - 02:18 PM.


#4 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 May 2004 - 05:20 PM

Worked like a charm! Many Thanks!!!

Here's the new Hijackthis Log:

Logfile of HijackThis v1.97.7
Scan saved at 6:16:47 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {E117AC28-2FFE-49E7-AE24-DF4588F43904} - C:\WINDOWS\System32\fojggm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.c...TTT/lotrttt.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com...ols/DoomChk.CAB

#5 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 19 May 2004 - 05:51 PM

Oh dear....... another problem seems to have surfaced. You really must get those updates!!

This one takes a bit of fixing, the problem is caused by a file that hides, we are going to make it visible and then delete it. Please follow these instructions carefully.

Download

CopyLock.zip and Winfile.zip from this page:
http://www10.brinkst...last/pvtool.htm
------------------

Go here and download RegAlyzer:
http://www.safer-net...galyzer&lang=tr
------------

Download Ad-aware.Install and update it.
Do not run it yet. Here are the full instructions for running Ad-Aware. This
is for when the time comes to run it.
Download the latest version of Ad-Aware at

http://www.lavasoftu...pport/download/

After installing AAW, and before running the program, you NEED to FIRST
update the reference file following these instructions.

Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Remember. Do not run Ad-Aware yet.

--------------------------

Run RegAlyzer. Navigate to this key by copying and pasting its path
as seen below in bold into the address bar and pressing enter.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look at the left pane and you will see a Folder (Key) named Windows. Rename it as NotWindows.

Click "AppInit_DLLs" in the right pane and clear the data value:
(path and filename) Be sure to write down the information before you clear it. You'll need that.
Click Apply and ok
Rename the NotWindows folder back to Windows again.
Close RegAlyzer.

------------------------

Next, reset the permissions for the Windows key.

To do that open Regedit. Go to start>Run and type regedit, Press enter. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

In Regedit Right click on the Windows key in the left pane and choose permissions.
Click the advanced button near the bottom of this page. Now you are on a
different page.
In Xp Pro and 2k
Uncheck the box labeled
Inherit from parent the entries that apply to child objects..... etc.
You will get a message with choice Choose copy by clicking on the copy
button.
Apply and OK.
Close the registry.

---------------

In XP Home the file permissions are a little different.
******Reset, but here you will check the Inherit from Parent box. The rest is the same.
Restart the Computer.

---------------------------

After you get back into Windows, go to C:\
Create a new folder and name it Junk
You now have a folder C:\Junk

Unzip Winfile which you downloaded earlier. Run Winfile.
Expand and Navigate to the System32 Folder.
Double clicking to expand.
Once you are in System32 on the menu go to File>Select Files
Copy and paste to the box:
comn.dll (adjust to the file name in question) click select
Find and highlight that file.
Next in top menu>Security>permissions,
tell us what is listed there for that file.
Also check the owner tab
------------
Finally:
On the Menu go to File>move
In From: Copy/paste:
C:\WINDOWS\System32\comn.dll (the file name and path is an example,
substitute yours here)
To: Copy and paste:
C:\junk\comn.dll (substitute your filename here)
Click OK
Post back with the requested information and how you did.
Be sure to check C:\junk to see that the dll is there.

#6 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 May 2004 - 07:26 PM

I found the file with regalyzer, and followed your instructions.
However, when I opened winfile and found that dll file under securities it was all gray and I wasn't able to get any of the tag info.

I did move the dll file into the junk folder.


Here's my most recent Hijackthis Log:
Do I need to do this over again? If this didn't work it's possible that it's because I ran AAW before I read your post, so maybe that changed some things, but then again maybe I did something wrong.


Logfile of HijackThis v1.97.7
Scan saved at 8:20:49 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.c...TTT/lotrttt.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com...ols/DoomChk.CAB

#7 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 20 May 2004 - 02:34 PM

ok

For NTFS you have to consider the File's ownership.
If you use FAT32 this doesn't apply. The file is however set to read only. Right click on it and choose properites, Uncheck the Read only box. Delete the file.
NOTE: If using XP Home you have to boot to Safe mode or the security tab will not show.
Use the security tab on the file(which is now showing) and
take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
You can do it all in Winfile.
Ex:
hlpkljh.dll >nasty.txt
nasty.txt > badfile.111
Few times... Etc.
Or you can try deleting the entire junk folder.
Once the file has been removed,
run Ad-Aware to remove the hijack.
Restart the computer.
Run hijackthis again and post your new log.

#8 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 May 2004 - 04:14 PM

Here's the New Log:
What else should I do?

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 5:13:20 PM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.nytimes.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.c...TTT/lotrttt.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.c...ds/iaieplay.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com...ols/DoomChk.CAB

#9 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 20 May 2004 - 05:05 PM

can you download CWShredder from here. Extract it to its own folder and run it making sure you hit fix rather than scan only!

#10 hjvic

hjvic

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 May 2004 - 05:15 PM

I ran CWShredder and it found 6 IE registries which it fixed.
Should services.exe be there or is that a trojan?

#11 ezesmith

ezesmith

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 May 2004 - 05:23 PM

You seem to have a Download Trojan on your system that has added some nasty things to your registry.

Try an online scan from http://housecall.trendmicro.com

Or the one on Panda Software's site...These tend to find AND remove many of these damn trojans.

The other tool that works great is one called Swatit This one is available at:
https://onesecond-12...itdownload.html if that link does not work the main website is http://www.swatit.org

Make sure you update it then run it. It finds hacking tools and trojans that other scans don't...

#12 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 21 May 2004 - 03:37 PM

Unfortunately we seem to be in different time zones and you are just getting started as I am thinking about turning in for the night! :( Never mind, thanks for sticking with me.

I was coming to the services.exe

Could you do the online scan as suggested by ezesmith and then post a fresh hijack log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button