Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hey guys,
My homepage has been hijacked. The new page just says "about:blank". I can still visit google and other search sites.
I have run CWSShredder : it finds some things but they are there after i restart again. (doesnt look like CWS to me tho since i can visit search sites)
I ran SpyBot and it found nothing. I also ran TDS-3 and it found some stuff:
------------
Scan Control Dumped @ 20:35:33 28-04-04
(DELETED) Positive identification: TrojanDownloader.Win32.Winshow.w
File: c:\program files\internet explorer\bpsuwiyv.exe(DELETED) Positive identification: TrojanDownloader.Win32.Winshow.w
File: c:\program files\internet explorer\xxqefpiu.exePositive identification (DLL): Adware.Winshow.d (dll)
File: c:\windows\system32\gkh.dll(DELETED) Positive identification: Adware.WildTangent.a
File: c:\windows\wt\backup\1.6.0.037\wcmdmgrl.exe
---------------
I couldnt get it to delete the Adware.This one isnt as evil as most hijacks, but it is still annoying. Please help.
P.s. I didnt have this problem when i checked my email this morning, all ive done since then is DL the newest patches for FF11. Dont know how i got this one.
If you ran SpyBot and found nothing,then your SpyBot is not likely up to date.
One of your problems is Wild Tangent, which an up-to-date SpyBot will find in spades unless you've removed it and its components with something else. "uninstalling" it won't do this.
Update SpyBot, and give Ad-Aware a try as well. Be sure its up to date too.
http://www.lavasoftusa.com/
(sorry about the weak link, i'm feeling lazy tonight).
good luck!
AOSCLAY
0 
Hm.
Ive tried updating SpyBot on ever mirror it gives and it always tells me that no more downloads are available.
All of the programs ive run show things. Usually again if i run them after i restart. (Ad-aware just showed the same things, CWS has been too)
What is the next step? Nothing changed.
Should i post a HJT log ?
0
I APOLOGIZE IN ADVANCE FOR THIS STATEMENT:
If SpyBot and Ad-Aware keep showing all the same things over and over again, then I fear you have only been scanning and not fixing.
After SpyBot and Ad-Aware detect things, you have to tell the programs to proceed with fixing them.
AGAIN, I APOLOGIZE IF I MISUNDERSTOOD YOU.
If you meant that some of your problems keep coming back after you've already used the above programs to fix them, then that is another problem.
As for CWShredder, is it not uncommon to hit on the same items over and over again until you get them fixed. CWShredder does not always accomplish this alone.
If you have updated, run the scanners, attempted to fix the problems, then I humbly invite you to post your HijackThis log for enduring my lunatic rambling. (It is late and I am sleepy)
Gotta hit the sack soon, but post and I (or somebody else) will look at it as soon as possible.
good luck!
AOSCLAY
0
I'm at my wits end.. please help. Pesky searchmeup hijack!!
Logfile of HijackThis v1.97.7
Scan saved at 6:39:31 PM, on 4/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\ATICWD32.exe
C:\WINDOWS\SYSTEM\ATITASK.exe
C:\WINDOWS\OMCAMLCH.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\PROGRAM FILES\AHEAD\INCD\INCD.exe
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.exe
C:\WINDOWS\RUNWIN32.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\HIJACK\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 817673475145.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rstd-proxy.tp.edu.sg
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1517.0\ZH-SG\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SetFirst] omcamuns setfirst
O4 - HKLM\..\Run: [Autolaunch] omcamlch
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [CSCRIPS] C:\WINDOWS\COMMAND\CSCRIPS.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\NORTON~1\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\ICQ\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\ICQ\ICQ\ICQ.exe -trayboot
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {F3F193CC-8D90-4BEB-8EDA-3EA69BB624F0} (Downloader Class) - http://a2044.g.akamai.net/7/2044/7189/20021011190647/www.douwantit.com:80/download/1.0.1.8/dwnldr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37863.935150463
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://gemssharepoint2.ntu.edu.sg/igems/Portal/resources/msddsc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {109106E8-DFAA-4F22-9922-FBAF1FC1409C} (Pco3 Window (OCBC) Control) - https://www.iocbc.com/esales/csksls/Panel/Pco3X_OCBC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
0
first Have HijackThis fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057
and possibly these too (I don't recognize them, but you might)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 817673475145.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rstd-proxy.tp.edu.sg
Do that first.
AOSCLAY
0
consider removing this (might be from PWSteal.AlLight Trojan but I might be wrong. Yours is in C:\Windows and not C:\ - big difference.) Not sure I like the way it looks.
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
AND...
Do you know what these are (do you have an installed program that these might relate to)?
O4 - HKLM\..\Run: [SetFirst] omcamuns setfirst
O4 - HKLM\..\Run: [Autolaunch] omcamlch
How about this one?
O4 - HKLM\..\Run: [CSCRIPS] C:\WINDOWS\COMMAND\CSCRIPS.exe
Do a search on it and yuo get lots of links referenceing W32.Magistr.*
Might be worthwhile to go to Symantec's site and get the removal tool. Just a thought.
Magistr is cute...it makes your desktop icons run away from your cursor after a while.
anyway, let me know if the problem does not seem to improve.
good luck!
AOSCLAY
0
By the way, don't panic. I doubt its magistr (Magistr is very destructive).
you would probably know by now.
I just thought the search results on it were interesting.
good luck!
AOSCLAY
0
ummm , for starters i find it rude that someone hijacked my post to get their log looked at.
I believe the rule is dont post the log unless it is asked for.
Anywho, i had tried fixing the problems. You are right , it waso nly some of the problems returning. One in particular seemed to be loading the rest. It was a Sys 32 file called ghk.dll . I renamed that file to ghkj.txt and wheni rebooted my homepage was fixed.
Only problem is i still cant delete it.
What do i do now?
(should i still post my log?)-Dave
0
first, sorry DAVE, you changed names once (from DAVE to DMSCHAVE). I didn't even notice somebody scabbed in on your thread. Sorry.
TO THE GUY THAT JUMPED IN ON THIS THREAD AND POSTED A HIJACK LOG (Ray):
Run a scan with Hijack This and have it fix everything it finds...
you can take that advice if you want but I suggest you think it over first...don't hijack other people's threads, its just not nice.
Yes, Dave, you are supposed to have permission to post a Hijack Log (Ray, you did not).
This is already getting long, but I will look at your log (as I said I would) if all your scanners are up-to-date and your problems still keep coming back.
If your problems are fixed though, and you are not having anymore trouble, no reason to post a log file.
EVERYBODY PLAY NICE NOW
AOSCLAY
0
Ok cool. So there is no need to worry about the ghk.dll file i renamed to a .txt file since it killed the hijacker's ability to reload itself right?
Thanks a ton (ill try to remember im Dave =P.
-Dave
0  |
 Firewall Alert!!
|
Best Antivirus software -...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
