• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hjvic

jksearch.biz -- Hijack

12 posts in this topic

My Internet Explorer homepage has been hijacked!

 

What can I do?

 

Here's my HiJack This Log:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:58:38 PM, on 5/19/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\User\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nytimes.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

 

5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program

 

Files\CUA\HFIER10.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program

 

Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

 

Loader.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

 

http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) -

 

http://www.lotrdvd.com/dvdkey/extended_dvd/TTT/lotrttt.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

 

http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

 

http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) -

 

http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -

 

http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

 

http://www.napster.com/client/isetup.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -

 

http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

 

http://install.wildtangent.com/bgn/partner...ler/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

 

http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

 

http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) -

 

http://microsoft.com/security/controls/DoomChk.CAB

Share this post


Link to post
Share on other sites

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

 

When you have done that, please copy the contents of the quote box to notepad:

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

 

hit save as

give it the name clear.reg

under the filename set file types to all files.

save it to the desktop.

 

After done double click the clear.reg

when asked to merge say yes

 

reboot

 

then find this file:

system32.dll

its probably in one of two locations:

c:\windows\system32\system32.dll

c:\windows\system\system32.dll

and delete it.

 

If you don't want the MyWay bar then go to add/remove programs and see if you can unistall it..... if you do want it then omit it from the following fix

 

Run hijackthis and make sure all browsers and windows are closed except for hijackthis, put a check against the following and click 'fix checked'

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php

 

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

 

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program

Files\MyWay\myBar\1.bin\MYBAR.DLL

 

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

http://install.wildtangent.com/bgn/partner...ler/install.cab

 

You can also fix this if you wish, it isn't bad as such but is a resource hog and is not needed in start up.

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Reboot and go straight to windows update to download SP1 and any other critical updates that you are missing.

 

Then post a fresh hijack log.

Edited by nellie2

Share this post


Link to post
Share on other sites

Worked like a charm! Many Thanks!!!

 

Here's the new Hijackthis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:16:47 PM, on 5/19/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O2 - BHO: (no name) - {E117AC28-2FFE-49E7-AE24-DF4588F43904} - C:\WINDOWS\System32\fojggm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/TTT/lotrttt.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB

Share this post


Link to post
Share on other sites

Oh dear....... another problem seems to have surfaced. You really must get those updates!!

 

This one takes a bit of fixing, the problem is caused by a file that hides, we are going to make it visible and then delete it. Please follow these instructions carefully.

 

Download

 

CopyLock.zip and Winfile.zip from this page:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

------------------

 

Go here and download RegAlyzer:

http://www.safer-networking.org/index.php?...galyzer〈=tr

------------

 

Download Ad-aware.Install and update it.

Do not run it yet. Here are the full instructions for running Ad-Aware. This

is for when the time comes to run it.

Download the latest version of Ad-Aware at

 

http://www.lavasoftusa.com/support/download/

 

After installing AAW, and before running the program, you NEED to FIRST

update the reference file following these instructions.

 

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

Remember. Do not run Ad-Aware yet.

 

--------------------------

 

Run RegAlyzer. Navigate to this key by copying and pasting its path

as seen below in bold into the address bar and pressing enter.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Look at the left pane and you will see a Folder (Key) named Windows. Rename it as NotWindows.

 

Click "AppInit_DLLs" in the right pane and clear the data value:

(path and filename) Be sure to write down the information before you clear it. You'll need that.

Click Apply and ok

Rename the NotWindows folder back to Windows again.

Close RegAlyzer.

 

------------------------

 

Next, reset the permissions for the Windows key.

 

To do that open Regedit. Go to start>Run and type regedit, Press enter. Navigate to:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

In Regedit Right click on the Windows key in the left pane and choose permissions.

Click the advanced button near the bottom of this page. Now you are on a

different page.

In Xp Pro and 2k

Uncheck the box labeled

Inherit from parent the entries that apply to child objects..... etc.

You will get a message with choice Choose copy by clicking on the copy

button.

Apply and OK.

Close the registry.

 

---------------

 

In XP Home the file permissions are a little different.

******Reset, but here you will check the Inherit from Parent box. The rest is the same.

Restart the Computer.

 

---------------------------

 

After you get back into Windows, go to C:\

Create a new folder and name it Junk

You now have a folder C:\Junk

 

Unzip Winfile which you downloaded earlier. Run Winfile.

Expand and Navigate to the System32 Folder.

Double clicking to expand.

Once you are in System32 on the menu go to File>Select Files

Copy and paste to the box:

comn.dll (adjust to the file name in question) click select

Find and highlight that file.

Next in top menu>Security>permissions,

tell us what is listed there for that file.

Also check the owner tab

------------

Finally:

On the Menu go to File>move

In From: Copy/paste:

C:\WINDOWS\System32\comn.dll (the file name and path is an example,

substitute yours here)

To: Copy and paste:

C:\junk\comn.dll (substitute your filename here)

Click OK

Post back with the requested information and how you did.

Be sure to check C:\junk to see that the dll is there.

Share this post


Link to post
Share on other sites

I found the file with regalyzer, and followed your instructions.

However, when I opened winfile and found that dll file under securities it was all gray and I wasn't able to get any of the tag info.

 

I did move the dll file into the junk folder.

 

 

Here's my most recent Hijackthis Log:

Do I need to do this over again? If this didn't work it's possible that it's because I ran AAW before I read your post, so maybe that changed some things, but then again maybe I did something wrong.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:20:49 PM, on 5/19/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/TTT/lotrttt.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB

Share this post


Link to post
Share on other sites

ok

 

For NTFS you have to consider the File's ownership.

If you use FAT32 this doesn't apply. The file is however set to read only. Right click on it and choose properites, Uncheck the Read only box. Delete the file.

NOTE: If using XP Home you have to boot to Safe mode or the security tab will not show.

Use the security tab on the file(which is now showing) and

take ownership.

Change the 'everyone special' to

'you> with Admin rights-> FULL control

Then try to delete it, if that fails try to rename

it first to different name+ext.

You can do it all in Winfile.

Ex:

hlpkljh.dll >nasty.txt

nasty.txt > badfile.111

Few times... Etc.

Or you can try deleting the entire junk folder.

Once the file has been removed,

run Ad-Aware to remove the hijack.

Restart the computer.

Run hijackthis again and post your new log.

Share this post


Link to post
Share on other sites

Here's the New Log:

What else should I do?

 

Thanks

 

Logfile of HijackThis v1.97.7

Scan saved at 5:13:20 PM, on 5/20/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fojggm.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: HyperFolio IE Site Restrictor Class - {22C1B5B2-ACB4-11D3-A719-0060089C5699} - C:\Program Files\CUA\HFIER10.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O15 - Trusted Zone: http://www.amazon.com

O15 - Trusted Zone: http://www.nytimes.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/TTT/lotrttt.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd...ds/iaieplay.dll

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {F76DF680-EC17-4272-B1C7-CDB2641FA20B} (KB836528 Object) - http://microsoft.com/security/controls/DoomChk.CAB

Share this post


Link to post
Share on other sites

can you download CWShredder from here. Extract it to its own folder and run it making sure you hit fix rather than scan only!

Share this post


Link to post
Share on other sites

I ran CWShredder and it found 6 IE registries which it fixed.

Should services.exe be there or is that a trojan?

Share this post


Link to post
Share on other sites

You seem to have a Download Trojan on your system that has added some nasty things to your registry.

 

Try an online scan from http://housecall.trendmicro.com

 

Or the one on Panda Software's site...These tend to find AND remove many of these damn trojans.

 

The other tool that works great is one called Swatit This one is available at:

https://onesecond-128.bit-encryption.net/swatitdownload.html if that link does not work the main website is http://www.swatit.org

 

Make sure you update it then run it. It finds hacking tools and trojans that other scans don't...

Share this post


Link to post
Share on other sites

Unfortunately we seem to be in different time zones and you are just getting started as I am thinking about turning in for the night! :( Never mind, thanks for sticking with me.

 

I was coming to the services.exe

 

Could you do the online scan as suggested by ezesmith and then post a fresh hijack log.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0