Browser has been Hyjacked..... I think

Stillhawkk · Cadet Joined: May 29, 2004 Posts: 5 Location: USA

Hello, new to the computercops website so please bear with my ignorance. What has happened is this, when I fire up my IE it goes to super-spider.com. Even when trying to select some of my favorites it gets directed to that site or another search site with varios sex site adds. In my favorite list is also a few porn sites that as you prolly can already guess when I try to delete them they just come back. As well as when I change my homepage back to my normal site. It is absolutly driving me up a wall, so any help would be most appreciated.

I do have Spybot installed as well as Adaware, which have taken care of most things for me.. Thank you again in advace to all of you that help others.

archimedes · Lieutenant Joined: May 21, 2004 Posts: 155 Location: USA

Hey there stillhawkk,
first go to http://www.winpatrol.com/
download and install the program.
once installed open your browser and go to the page you want to be your homepage.
click tools, internet options, use current.
once this is done winpatrol will soon popup asking you if you wish to keep the setting and you answer yes (provided the page stated is still the same you chose)
then open adaware and do the following:

Make sure the following settings are configured. Remember that ON=GREEN.

From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files

Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..

Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.

and uncheck..

Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
when the scan has finished delete, delete the found files.
Ok, now that that's done go to
http://www.spychecker.com/program/hijackthis.html
download and install into it's own directory in C:/program files/
with an explorer window open (such as my documents) click tools folder options, view. scroll down and make sure show hidden files is ticked and hide extentions is unticked.
scan with hijackthis. when the scan is finished the scan button will change into a save log button. save your log file and post it back here.
good luck.

Stillhawkk · Cadet Joined: May 29, 2004 Posts: 5 Location: USA

Thank you Archimedes.

I did as told and this is the Log that I was given. Winpatrol is asking if i want to change my homepage about every 5 mins or so. I know this is probly normal but incase it is'nt I wanted to mention it.
Once again thank you for your help thus far.
Anyway...Here is said log. Glad yall know how to read it. I sure don't>

Logfile of HijackThis v1.97.7
Scan saved at 7:52:12 AM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\jxt6oinok41c.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.greg-search.com

Stillhawkk · Cadet Joined: May 29, 2004 Posts: 5 Location: USA

still having the same problems.. can anyone tell me what i can edit/delete to perhaps remedy my situation?

helpless · Posted: Wed Jun 02, 2004 4:50 am Post subject:

The first thing I noticed :
O4 - Global Startup: winlogin.exe

so....
http://www.dougknox.com/xp/utils/xp_winlogin_remove.htm

http://www.trendmicro.com/vinfo/virusen....A&VSect=T

http://securityresponse.symantec.com/av...dex.e.html

so after removing the above :

boot in safe mode and unhide hidden files:

safemode
From the Windows Start menu, go to Turn off computer and click Restart.
As the computer restarts, watch for a progress bar at the bottom of the screen. press F8 about once every second.
Immediately press F8 before the progress bar reaches the right side of the screen.
From the Windows Start-up menu, highlight Safe Mode and press Enter.
Wait for your desktop to appear, and then make the necessary repairs

unhide
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

THEN :
rerun HiJack and mark the below to be fixed
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\jxt6oinok41c.dll

then delete the below files
C:\WINDOWS\System32\jxt6oinok41c.dll
C:\WINDOWS\SYSTEM\blank.htm

Reboot

then run the below 2 apps after updating them :
Ad-Aware : http://majorgeeks.com/download.php?det=506
->update -> run -> reboot
Spybot S&D : http://spybot.safer-networking.de/index.php?page=download
->update -> run -> reboot

then post a new HiJAck-log
CU

Daemon · Posted: Wed Jun 02, 2004 4:34 pm Post subject:

Hi guys

Hope you don't mind me joining in on this one - can be a bit awkward to remove.

Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

C:\WINDOWS\image.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The C:\WINDOWS\image.dll listing should show up in the window. Then repeat the process, this time adding:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\System32\jxt6oinok41c.dll

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\jxt6oinok41c.dll
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.greg-search.com

Reboot when done. Rescan with HJT and post a new log.

Stillhawkk · Cadet Joined: May 29, 2004 Posts: 5 Location: USA

Here is my new log. Boy I cant thank you guys enough for your continued help with this. Anything else wrong with it?

Logfile of HijackThis v1.97.7
Scan saved at 6:26:14 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: Win32 Classes -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\temp\setup1.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

Daemon · Posted: Thu Jun 03, 2004 2:06 am Post subject:

Just a bit of tidying up. With only HJT running, have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\temp\setup1.exe

Reboot and you should be good to go.

Could you open TheKillbox again, click File, Open!Submit and you will see a folder bearing the date that you used TheKillbox - zip it up and send to including a link to this thread in the body of the email.

helpless · Posted: Thu Jun 03, 2004 4:45 am Post subject:

thx for stapping in Daemon ,
i was looking around for the O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
when coming back with the solution i saw you did a better job Cool

Stillhawkk · Cadet Joined: May 29, 2004 Posts: 5 Location: USA

Thank you two!!! I tried to do as you said Daemon but when I hit the open/submit it tells me that the path /submit does not exist or is not a directory. but i will still send an email with the link to that thread...

Thanks again..


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 607 pages served in previous 5 minutes. Page Rendered: 0.495 seconds.