Hijack This help

Computing.Net > Forums > Security and Virus > Hijack This help

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Hijack This help

Name: Art Pierce
Date: April 8, 2004 at 15:02:36 Pacific
OS: WIN XP Version 2002
CPU/Ram: 512

Comment:

Having trouble getting rid of searchx.cc hijack on our son's computer.
I have tried virtually every spyware remover I can find, but just can't get IE browser back. I have HiJack This, but cannot tell on many of the entries what to do.
Is there someone who would be kind enough to look at the output log and give me some advice? I would sure appreciate it.

Sponsored Link

Ads by Google

Response Number 1

Name: blender
Date: April 8, 2004 at 17:16:34 Pacific

Reply:

Art Pierce
If you tried Ad-aware, Spybot S&D, and CWShredder without success...go ahead and post your log.
I will help you with it.
________________________________________
I never give up!
Windows Update

Response Number 2

Name: Art Pierce
Date: April 9, 2004 at 06:11:58 Pacific

Reply:

Thanks very much...
Logfile of HijackThis v1.97.7
Scan saved at 9:16:47 AM, on 4/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Palm\HOTSYNC.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.exe
C:\Program Files\FileZilla\filezilla.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
\Diamond\Installers\SpyWare Removers\HijackThis.exe
C:\WINNT\system32\NOTEPAD.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\NoteTab Light\NoteTab.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {8978448D-DF0D-4D7B-A046-E03E5EBAF600} - C:\WINNT\System32\dfd.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINNT\system32\lexbac.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background
O4 - HKCU\..\Run: [SiteMonitor] "C:\Program Files\Izlenim\Site Monitor\httpstats.exe"
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: SymmTime.lnk = C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.xoops.org
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = the-solara-group.net
O17 - HKLM\Software\..\Telephony: DomainName = the-solara-group.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = the-solara-group.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = the-solara-group.net

Response Number 3

Name: blender
Date: April 9, 2004 at 12:09:06 Pacific

Reply:

Art Pierce
Please start hijackthis again and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\dfd.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {8978448D-DF0D-4D7B-A046-E03E5EBAF600} - C:\WINNT\System32\dfd.dll
O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINNT\system32\lexbac.exe
Once all are checked; close all open windows except hijack and click fix checked
Reboot the computer and delete the following:
c:\winnt\system32\lexbac.exe <-file (this is a trojan that downloads malware on your computer)
Next clear out temporary internet files including offline content and history.
Clear out c:\winnt\temp <...yes all can go
Have you placed http://*xoops.org in your trusted zone?...I don't think it's a problem...just making sure you put that there and not something else...
I also recommend updating windows with all listed critical updates including sp1.
It will take several visits to get them all.
If you have a slow connection that presents a problem...some of the updates are quite large...M$ has offered a free update cd you can order.
Details here:
http://www.microsoft.com/security/protect/cd/order.asp

I also notice the computer has no antivirus.
Just to rule out that possiblity run a scan here:
http://www.ravantivirus.com/scan/
If it reports any findings...paste results here along with new hijack log.
There are a few good free antivirus programs available...
AVG free:
http://www.grisoft.com/us/us_dwnl_free.php
Avast4 personal:
http://www.avast.com/i_kat_207.php?lang=ENG
AntiVir personal:
http://www.free-av.com/
With AVG or Avast you will need to enter a proper email address so they can mail you the install key.
I will check back in a bit...
_______________________________________

I never give up!
Windows Update

Response Number 4

Name: Art Pierce
Date: April 9, 2004 at 16:13:14 Pacific

Reply:

Thanks very much for the information.
Removed what was requested, and checked for viruses. Nothing reported. We have a small network, and the virus stoppers are quite good.
However, IE is still loading with searchx.cc screen.
As requested, here is a current Hijackthis.log after doing the steps you suggested:
Logfile of HijackThis v1.97.7
Scan saved at 7:16:25 PM, on 4/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Palm\HOTSYNC.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\MsiExec.exe
\Diamond\Installers\SpyWare Removers\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D5FF13F6-9350-48AE-8397-1CD16002FFE5} - C:\WINNT\System32\mcca.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background
O4 - HKCU\..\Run: [SiteMonitor] "C:\Program Files\Izlenim\Site Monitor\httpstats.exe"
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: SymmTime.lnk = C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.xoops.org
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = the-solara-group.net
O17 - HKLM\Software\..\Telephony: DomainName = the-solara-group.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = the-solara-group.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = the-solara-group.net

Response Number 5

Name: Adrian
Date: April 10, 2004 at 16:55:42 Pacific

Reply:

Hi,
I have had the same problem on my pc. The obfuscated dll's are the initial problem. Even if you change the start page through IE or the registry, the dll seems to reload the registry & therefore also IE. However, when you delete the dll, either in safe mode or command prompt, the problem seems to go away.....and then return 'some time' later. If you ran Hijack This again (as you have done) you will see the registry entries for IE pointing to a differently named dll - therefore, some other program is re-creating the dll with a random name. I have two suspect programs which I have now deleted. One was picked up by McAfee with the latest DAT files - c:\winnt\system32\sys.exe - couldn't clean it so I just deleted it. The other - c:\winnt\system32\fiks.exe - I initially spotted when doing a search for the latest .exe files on my system. The only info I could shed on this last one came from Trend Micro via a Google search - which suggested that this was one of the files included in the 'Trojan Bancos-L' - a password logging trojan mainly aimed at Spanish banking websites. I have not figured out how or exactly when the program is reloading the random-named dll - there is nothing suspicious in any of the startup folders or RUN keys in the registry, unless it has attached itself to a genuine file. It may be pure coincidence, but it seems that after removing the dll & sorting out IE, the problem returns after starting Outlook Express.
I have yet to see if this has fully resolved the problem, but some of this information may be useful to you/anyone else, in finding an answer.
Good luck.

riaa judgement micro innovations web camera setup did not find a driver compatible with your current hardware or operat net md walkman software system32.sys net md walkman software download pv-bt848p+ pv-BT878p+ musicmatch jukebox plugins final draft key	mailx cc unix sort by date unix sort by date get Process name from PID unix sort by date SQL get WeekDay Name check unix version sed remove text mailx bold text unix rm by date
See More

Response Number 6

Name: MrBarnacles
Date: April 11, 2004 at 01:06:35 Pacific

Reply:

Hello,
Is this searchx.cc problem virtually impossible to remove? I've tried every suggestion I've came across:
- running hijackthis to delete the .dlls and stuff.
- running ad-aware 6
- running spybot s&d
- installing norton anti-virus
- running cws 1.56.1
- and even manual removal
Nothing seems to work. It just keeps coming back. I'm on the verge of doing a full system reboot because I'm running out of options here!

Response Number 7

Name: Adrian
Date: April 11, 2004 at 13:33:13 Pacific

Reply:

Well....almost 24 hours later & the browser homepage has not yet been hijacked. However. I'm still not fully confident, as I feel that some part of the equation is still missing. If you do a search on Google for 'sys.exe homepage', it does seem that a large number of homepage hijacking programs involve this file (amongst others). I could not find any of the other files mentioned on my system, but I would suggest doing a search on your system for 'sys.exe' (NOT sys.com). My AV certainly listed this as a Trojan & I have deleted it (this is on a Win2K SP4 system).
However, first you will need to fix the registry entries relating to the obfuscated dll through Hijack This, eg:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Then, either in safe mode or at the command prompt, find the relevant .dll in c:\winnt\system32 (XP c:\windows\system32), and start by renaming the .dll extension to something else. Later, you can safely delete it. Then, I would run a full AV scan. If the scan doesn't show any Trojans I would search for sys.exe and try renaming it to sys.old. Reboot & see how it goes.
Some of the following links mention other files, which you may also want to search for.
http://www.pestpatrol.com/PestInfo/d/divx_updater.asp
http://www.mcse.ms/archive118-2004-3-502526.html
http://support.microsoft.com/?id=320159
None of the above may be a final fix, but it's worth a go. What is bothering me is that I have not found any entries in the RUN keys of the registry, which is generally where programs are started upon boot.
We'll see.
Cheers.

Response Number 8

Name: blender
Date: April 11, 2004 at 13:58:53 Pacific

Reply:

Ok...Unknown to me...that is one of the newest CoolWebSearch trojan varients.
You will need the newest CWShredder which can be downloaded here:
http://209.133.47.200/~merijn/files/CWShredder.exe
Disconnect from internet.
Boot the computer to safe mode (tap f8 on boot)
Run the tool...couple times.
Reboot
Then while still offline:
Start hijackthis again and check the following entries if still present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mcca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D5FF13F6-9350-48AE-8397-1CD16002FFE5} - C:\WINNT\System32\mcca.dll
Once all are checked click fix checked

***NOTE***
The following fix only works for XP!
First check here in the registry:
HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/plain

If those entries are present...proceed to next step.
Dont delete them...we can apply a patch to remove it safely.
Copy the following bold text to notepad:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
Save the file as remove.reg in file name box.
In "save as type" box use pulldown arrow and check "all files".
Save the file.
Double click to run...yes at the prompt.
Now reboot and delete the following file if present:
c:\filter.log <-this file
Reset web settings...and you should be good to go.
Before you get attacked again....visit windows update and install all updates including sp1.
_______________________
Adrian, Warren
If you are running windows xp...the above should work...
If running a different version of windows...
DON'T use the reg fix above.
___________________________________
Let me know if that did it.
___________________________________
I never give up!
Windows Update

Response Number 9

Name: Art Pierce
Date: April 11, 2004 at 14:27:11 Pacific

Reply:

Seemed to have found an effective removal method, courtesy of http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx.
Critical to disable system restore during this procedure, otherwise procedure will not work.
Use AVG antivirus to identify and locate undocumented alterations. This virus seems to have some output variants as to where it locates its files.
Manually remove text/html and text/plain protocols in register, and remove html pages and BHO reg reference to **.dll with Hijackthis.
Remove .dll in safe mode.
I did not find a filter.log file.
Thanks to all those whose information came in to help with this problem. Those b***ards are getting pretty smart.

Response Number 10

Name: Adrian
Date: April 11, 2004 at 15:37:11 Pacific

Reply:

Thankyou Blender, thankyou Art.
I spoke too soon earlier. Found the reg entries that Blender mentioned and more by doing a search using the string name.
HKEY_CLASSES_ROOT\CLSID\{3B02AE0B-2C36-48B7-8810-EADADF53ABBE}\InProcServer32]
@="C:\\WINNT\\system32\\bjcchh.dll"
"ThreadingModel"="Apartment"
(In the above the string name would not be the same)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
By this time I had another .dll in place!
However, using the latest version of CoolwareShredder seems to have done the trick. As Art mentioned, I also cannot find a filter.log. Have yet to double-check after a few reboots, checks of the registry & re-runs of CoolwareShredder, but looking good so far.
Many thanks to everyone for their information.

Response Number 11

Name: MrBarnacles
Date: April 12, 2004 at 01:45:22 Pacific

Reply:

Quote: Adrian
"However, using the latest version of CoolwareShredder seems to have done the trick."
Yeah, that's what I thought too when I downloaded and ran the latest version of CWShredder (that is what you're using, right?). Unfortunately, CWShredder seems to be ineffective against searchx.cc. The very next day, the searchx.cc website sprung up again. You wouldn't believe the things I shouted at my computer monitor...
@Blender
By the way, Blender...I did what you instructed me to do and it might've worked. If it comes back, I'll let you know. If it doesn't come back for at least a week, I'll let you know.

Response Number 12

Name: Adrian
Date: April 12, 2004 at 13:44:20 Pacific

Reply:

Warren,
Just a thought but you might check the version of CWShredder that you are using. I originally used version 1.56.0.0 , which didn't find CWS.searchx. Yesterday I downloaded it again from the link that Blender provided - version 1.56.0.1 - and it found & removed CWS.searchx. A few reboots later & I've not yet had my homepage hijacked (although like you I'll reserve judgement for a week or two). I also manually checked the registry and deleted the registry entries mentioned in my previous post.
Having said that, I have just done a search on the most recently dated dll's in c:\winnt\system32. Opening them in a hex viewer, I found that they were the same searchx dll's (they contained sp.html - which has the html code for the hijacked homepage).
I have permanently deleted them, but am left uncertain as to whether the original program justs drops a whole load of dll's (so called) and uses them at random, or whether these were created prior to me recognising the problem.

Response Number 13

Name: MrBarnacles
Date: April 12, 2004 at 14:47:25 Pacific

Reply:

@Blender
The searchx.cc website is back again. The two protocol filters are back as well. Nothing seems to work. ...what's happening...
I don't think I was re-infected. I couldn't have been on the Internet for more than five minutes and the only thing I did was go to this website.
@Adrian
CWShredder 1.56.1 is the one I'm talking about. It says it removes the searchx.cc, but it usually comes back the very next day.

Response Number 14

Name: denniz
Date: April 12, 2004 at 23:34:43 Pacific

Reply:

Jeez this is a hard mofo. I keep cleaning my disk and it keeps coming back. i tried AAW, search&destroy, CWShredder, HijackThis and it still comes back after a day.. HELP
searchx sux...

Response Number 15

Name: Art Pierce
Date: April 13, 2004 at 16:31:06 Pacific

Reply:

I have been watching this, and working with a few other local infected systems. The latest CWShredder build seems to really nail the problem. Three for three as of today, with no returns.

Response Number 16

Name: MrBarnacles
Date: April 13, 2004 at 16:49:36 Pacific

Reply:

I've noticed a pattern of re-infection. It appears that the searchx.cc thing comes back after I launch Internet Explorer 6 for a few minutes. This happened three times. That can't be a coincidence...

Response Number 17

Name: Adrian
Date: April 15, 2004 at 03:31:38 Pacific

Reply:

Well, after my last post, searchx reappeared. Since then I have done the following.
Looking at the most recent .dll's in c:\winnt\system32 (I haven't installed anything
for a while), I started checking the version. There was the latest .dll causing the
searchx problem - with no version tab at all. I also had my eye on another .dll with
no version tab - sqlmbb.dll. When I tried to open this in a Hex viewer (PE Explorer -
http://www.heaventools.com/download.htm ) - it wouldn't open, saying it wasn't a .dll
or .exe....suspect. This .dll had been there all the time I have had the problem,
even when the names of the other .dll's changed. (NB. just because there was no
version tab doen't mean it's false as I have found other genuine ones - which have
shown up in Google searches as being genuine .dll's).
I found the following link March 24, 2004:
[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com,
list2004.com or linklist.cc:
http://www.spywareinfo.com/~merijn/
I downloaded pv.zip from the following URL http://www.zerosrealm.com/downloads/pv.zip
. I ran this (with at least 1 IE window open) and looked for the suggested file(name
is different), size (61c00000) and beginning (61440). There it was sqlmbb.dll - the
suspect .dll.
I then downloaded 'Killbox' from the following URL
http://download.broadbandmedic.com/VbStuff/KillBox.zip and set it to delete
sqlmbb.dll on reboot. After reboot, I ran Killbox again and selected the most recent
.dll that searchx had dropped for delete after reboot.
After reboot, I ran CWShredder, which removed the filter\text/html and
\filter\text/plain registry entries. I also checked the registry manually to make
sure all references to this had gone.
It's still early days - I'm reluctant to say this has resolved the problem as I've
said this twice before & it has reappeared...but it may be worth a go. Below is the
pasted text courtesy of http://www.spywareinfo.com/~merijn/.

March 24, 2004:
[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com,
list2004.com or linklist.cc:
We are working on a fix for this one and drawing near to an automated solution. This
is by far the most sophisticated CWS variant seen to date, and it will take some time
before CWShredder will be able to remove it.
The following *updated* manual fix should work:
Download this zip: http://www.zerosrealm.com/downloads/pv.zip, unzip it to the
desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the
runme.bat.
Notepad will open with a log in it Look for a line with this file, size and beginning
to it. The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll
This part indicates the bad file:
61c00000 61440
It will always start with that header.
Write down the filename behind it.
Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip and run it.
Don't click any of the buttons though, instead please click on the Action menu and
choose "Delete on Reboot".
On the next screen, click on the File menu and choose "Add File". The file you copied
earlier should now show up in the window. If that's successful, choose the Action
menu and select "Process and Reboot". You'll be prompted to reboot, do so.
After rebooting, make sure the file is gone.
If this doesn't work, search on the SpywareInfo forums for topics posted by users
with the same problem and read those. If none of the solutions you find work, make a
new thread and ask for help.

Response Number 18

Name: Adrian
Date: April 15, 2004 at 03:35:28 Pacific

Reply:

Sorry about the line spacing above, I pasted from notepad.

Response Number 19

Name: chrisjg
Date: April 16, 2004 at 11:00:54 Pacific

Reply:

EASY INSTRUCTIONS!
I managed to clear the searchx.cc browser homepage hijack relatively quickly, here is how:
1) Removed sql.dll from \windows\system32 (maybe something like winnt\system32 on your computer)
2) Removed the registry reference to sql.dll [Not sure I needed to do this step]
3) Ran CWShredder.exe
In a bit more detail:
1) sql.dll seems to be the culprit, but it is difficult to delete. So you need a tool such as Killbox.exe to delete it at reboot stage. Killbox.exe was downloaded from:
http://download.broadbandmedic.com/VbStuff/KillBox.zip
(I used version 2.00.0179 but in fact there are plenty of other programs around doing similar things)
Close other running programs. Use Action - Delete on reboot - Fill add file (sql.dll) - Process and reboot.
Then let the system reboot.
2) After rebooting I then went into regedit and did Find on sql.dll and then deleted it. This registry entry seems to run on startup then the dll deletes the entry in the registry, so you won't find it (unless you've deleted the offending dll first, thereby breaking its chain). I am not sure I needed to do this, in view of step 3, but I report it anyway.
3) I then downloaded and ran CWShredder.exe from this location:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
(I used version v1.56.2)
After pressing the Fix -> button it came up with a screen saying "CWS.Searchx REMOVED"
Then opened the window and all was OK.
Until my virus scanner is updated I will also need to monitor \system32 to see what DLLs end up there before I reboot or close down to prevent reoccurence. I imagine sql.dll could get another name very easily but sorting by date/time should throw up any newcomers. Also do a screen dump of the \system32 area to compare later!
Hope that helps. This took me an hour or two to do, some guys seem to have worked on it for far longer. I shall be making a modest donation for the CWShredder software I used above, in view of the potential hours of my life they have saved. I would urge others to do the same or to give a few pounds / dollars to charity.
best wishes
Chrys in Northumberland.

Sponsored Link

Ads by Google

Guys Please Read this,is ...

detailed rule based firew...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Hijack This help

HIjack This Help

Summary

www.computing.net/answers/security/hijack-this-help/8228.html

Explorer 100% Hijack this log help!

Summary

www.computing.net/answers/security/explorer-100-hijack-this-log-help/9553.html

Help with Hijack This! Log fixes

Summary

www.computing.net/answers/security/help-with-hijack-this-log-fixes/8354.html

From the Geek Dictionary
newb - Newb / Newbie doesn't just apply to computers, Someone can be a newbie at a...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
wpgrade7 uindows

Network errors

Task Manager

too hot

Microphone records output!

All Awaiting Reply

Tom's News
Verizon: iPhone is Digitally Clueless Beauty Queen

Nintendo DS Flash Cards are Legal Says Judge

Go Retro: Dragon's Lair Confirmed for iPhone

Sony's PSPgo May Get External UMD Reader

Report: Teen Internet Addicts Likely to Self-Harm

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE