|
|
#1
November 3rd, 2004, 07:13 AM
|
||||
|
||||
pieter arntz where are you!?!
this is a pretty strange request,but,a few months back (june 3rd) i had a problem with 'hot_kiss' xxxserver an got help from this guy pieter.
if your out there pieter could you reply to my post....got a new problem i could realy use ur help with!! using both ad aware and spybot these days but this new problem has them both beaten! its 'coolwwwsearch' im sure,plus another few. both spybot an ad aware can find it and delete it,but when i repeat the scan the same problems still come up. the result of this is my homepage bein replaced with the 'slightly' unwanted... res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm if you could please contact me i would greatly apreciate it, and have a hijackthis log file on standby should you need it. regards, griogair. |
|
#3
November 3rd, 2004, 07:54 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Hi Griogair,
Have you tried CWShredder: http://www.intermute.com/spysubtract..._download.html ? If that doesn't work either please follow the directions posted here: http://www.wilderssecurity.com/showt...776#post222776 to get help with your HijackThis log. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#4
November 3rd, 2004, 08:33 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
am afraid a dont think its working....(ahhhhhhh!!)..downloaded shredder...still hapening!
read the link about hijackthis....who should i send my log to then? griogair. |
|
#5
November 3rd, 2004, 09:04 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Quote:
I'll use my rights as a forum expert (*cough*)  Post your log. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#6
November 3rd, 2004, 09:35 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
cheers mate! i appreciate it!
hope you dont mind my asking,but,is the forum run on a purely volinteer basis through people such as yourself? it jst seems generous beyond belief that your doing the same job as many anti-internet-evilness companys sell software for? sorry for bein nosy...was just wondering. cheers! griogair Logfile of HijackThis v1.98.2 Scan saved at 11:51:09, on 03/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOINTGR.EXE C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System\MSMSGSVC.exe C:\Program Files\EzButton System V2.1\EzButton.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.95 195.92.195.94 |
|
#7
November 3rd, 2004, 10:01 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Hi Griogair,
It's even worse. Some of the "anti-internet-evilness companys" are the worst enemies of all the volunteers helping on all the forums around the world. Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll Then reboot and run CWShredder once more before you open any IE windows. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
November 3rd, 2004, 10:05 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
We'll have to do something else after that so please report back when you are done with a new log.
Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#9
November 3rd, 2004, 10:25 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Hi Pieter and Griogair,
I have moved this thread to a more appropriate forum  ...
__________________
Best regards, Kent AX64 Time Machine - Travel in Time Current Version 1.1.0.996 |
|
#10
November 3rd, 2004, 11:00 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
cool...run hijackthis...got rid of em then ran shredder....wen conected homepage was still the 'evil' one.
did you say you still had something up your sleave? griogair. |
|
#11
November 3rd, 2004, 11:01 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Logfile of HijackThis v1.98.2
Scan saved at 16:01:07, on 03/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOINTGR.EXE C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System\MSMSGSVC.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\Program Files\EzButton System V2.1\EzButton.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.94 195.92.195.95 |
|
#12
November 3rd, 2004, 11:06 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Yes. I wanted to know if the dll would be replaced with a good one.
Obviously it wasn't. Fix these lines as well: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home Then find C:\WINDOWS\System32\dllcache\shdoclc.dll and use it to replace C:\WINDOWS\System32\shdoclc.dll The dllcache folder is extremely important so Windows XP hides it. To view it click My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. This will also reveal other hidden system files so be careful! Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#13
November 3rd, 2004, 11:12 AM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
This is the one you have by the way:
http://www.sophos.com/virusinfo/analyses/trojcwsc.html http://vil.nai.com/vil/content/v_101828.htm Take a good look here for more instructions: http://www.kephyr.com/spywarescanner...pe/index.phtml Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#14
November 3rd, 2004, 12:09 PM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
aarrarrarggggggghhhhhhhh!!!!!!!!!! i had it!!!!! it changed back to my original homepage i know because it set it to freeserve...which is pre wanadoo.....closed internet options and opened internet explorer to find it back.....aaaaaaaaaahhhhhhhhh!!!!! did what the website told me....deleted (??).dll it said and it hapned again!!!!!!
griogair....ahhhhhhhhhhhhhhh!!!!!  |
|
#15
November 3rd, 2004, 01:51 PM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
Hi Griogair,
Try this way. Close all instances of IE and don't open any until after you rebooted. Copy the part in bold below into notepad and save it as hexaway.reg Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{834261E1-DD97-4177-853B-C907E5D5BD6E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}] Doubleclick the file you made and confirm you want to merge it with the registry. Then in HijackThis click Config > Misc Tools > Delete a file on reboot... Select C:\WINDOWS\dpe.dll and reboot your computer when prompted. Then run HijackThis again and remove all the CWS lines that are still present (the ones from the previous posts that returned) Then you can open IE and in Internet Explorer, click Tools -> Internet Options. Click the Programs tab -> Reset Web Settings. Keep us posted, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#16
November 9th, 2004, 12:56 PM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
yesssssss!!!! ive never been hapier to go online!!!!
you will never believe how strangely my laptops been acting these last few days...then all of a sudden im back online  when i copied your reply to a notepad so i could read it without accessing ie....i carried out your instructions to no success...i then tried to go online to reply to your post to find that every site i tried to visit had been blocked by another .dll type homepage whos only two options were a search button or a spyware removal button...both of which linked to the same list of pay software....so tonite..sick of a weeks lack of access i tried the same method as before to no success then decided to go to my furthest back restore point...and all of a sudden my hompage is restored and ad aware seems to think my laptops clean ? i am relieved i have internet access once more but am doubtful to just how clean my laptop realy is...how do you recomend i find out and make sure it isbetter late than never thanks griogair |
|
#17
November 9th, 2004, 01:01 PM
|
||||
|
||||
|
Re: pieter arntz where are you!?!
also...if you reply to this and do not hear from me quickly please assume that i hav encounterd the same block of sites as before...if so,could you please contact me on: griogair@stewart9920.freeserve.co.uk if its not too much hastle..thanks once again
griogair |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
