pieter arntz where are you!?!

[Griogair]

this is a pretty strange request,but,a few months back (june 3rd) i had a problem with 'hot_kiss' xxxserver an got help from this guy pieter.

if your out there pieter could you reply to my post....got a new problem i could realy use ur help with!!

using both ad aware and spybot these days but this new problem has them both beaten!

its 'coolwwwsearch' im sure,plus another few. both spybot an ad aware can find it and delete it,but when i repeat the scan the same problems still come up.

the result of this is my homepage bein replaced with the 'slightly' unwanted...

res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

if you could please contact me i would greatly apreciate it, and have a hijackthis log file on standby should you need it.

regards, griogair.

[nadirah]

Pieter is online now.. he should respond shortly.

[Pieter_Arntz]

Hi Griogair,

Have you tried CWShredder: http://www.intermute.com/spysubtract..._download.html ?

If that doesn't work either please follow the directions posted here:
http://www.wilderssecurity.com/showt...776#post222776
to get help with your HijackThis log.

Regards,

Pieter

[Griogair]

am afraid a dont think its working....(ahhhhhhh!!)..downloaded shredder...still hapening!

read the link about hijackthis....who should i send my log to then?

griogair.

[Pieter_Arntz]

Quote:

Please note that from time to time a HijackThis log may still be requested by a moderator (or specially titled forum expert) for use in other types of problem diagnosis.

I'll use my rights as a forum expert (*cough*)
Post your log.

Regards,

Pieter

[Griogair]

cheers mate! i appreciate it!

hope you dont mind my asking,but,is the forum run on a purely volinteer basis through people such as yourself? it jst seems generous beyond belief that your doing the same job as many anti-internet-evilness companys sell software for? sorry for bein nosy...was just wondering.
cheers!
griogair


Logfile of HijackThis v1.98.2
Scan saved at 11:51:09, on 03/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOINTGR.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\Program Files\EzButton System V2.1\EzButton.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.95 195.92.195.94

[Pieter_Arntz]

Hi Griogair,

It's even worse. Some of the "anti-internet-evilness companys" are the worst enemies of all the volunteers helping on all the forums around the world.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)

O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

Then reboot and run CWShredder once more before you open any IE windows.

Regards,

Pieter

[Pieter_Arntz]

We'll have to do something else after that so please report back when you are done with a new log.

Regards,

Pieter

[puff-m-d]

Hi Pieter and Griogair,

I have moved this thread to a more appropriate forum ...

[Griogair]

cool...run hijackthis...got rid of em then ran shredder....wen conected homepage was still the 'evil' one.
did you say you still had something up your sleave?

griogair.

[Griogair]

Logfile of HijackThis v1.98.2
Scan saved at 16:01:07, on 03/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOINTGR.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\EzButton System V2.1\EzButton.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.94 195.92.195.95

[Pieter_Arntz]

Yes. I wanted to know if the dll would be replaced with a good one.
Obviously it wasn't.

Fix these lines as well:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

Then find C:\WINDOWS\System32\dllcache\shdoclc.dll and use it to replace C:\WINDOWS\System32\shdoclc.dll

The dllcache folder is extremely important so Windows XP hides it. To view it click My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. This will also reveal other hidden system files so be careful!

Regards,

Pieter

[Pieter_Arntz]

This is the one you have by the way:
http://www.sophos.com/virusinfo/analyses/trojcwsc.html
http://vil.nai.com/vil/content/v_101828.htm

Take a good look here for more instructions:
http://www.kephyr.com/spywarescanner...pe/index.phtml

Regards,

Pieter

[Griogair]

aarrarrarggggggghhhhhhhh!!!!!!!!!! i had it!!!!! it changed back to my original homepage i know because it set it to freeserve...which is pre wanadoo.....closed internet options and opened internet explorer to find it back.....aaaaaaaaaahhhhhhhhh!!!!! did what the website told me....deleted (??).dll it said and it hapned again!!!!!!


griogair....ahhhhhhhhhhhhhhh!!!!!

[Pieter_Arntz]

Hi Griogair,

Try this way.

Close all instances of IE and don't open any until after you rebooted.

Copy the part in bold below into notepad and save it as hexaway.reg

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{834261E1-DD97-4177-853B-C907E5D5BD6E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]

Doubleclick the file you made and confirm you want to merge it with the registry.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
Select C:\WINDOWS\dpe.dll and reboot your computer when prompted.

Then run HijackThis again and remove all the CWS lines that are still present (the ones from the previous posts that returned)

Then you can open IE and in Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.

Keep us posted,

Pieter

[Griogair]

yesssssss!!!! ive never been hapier to go online!!!!

you will never believe how strangely my laptops been acting these last few days...then all of a sudden im back online

when i copied your reply to a notepad so i could read it without accessing ie....i carried out your instructions to no success...i then tried to go online to reply to your post to find that every site i tried to visit had been blocked by another .dll type homepage whos only two options were a search button or a spyware removal button...both of which linked to the same list of pay software....so tonite..sick of a weeks lack of access i tried the same method as before to no success then decided to go to my furthest back restore point...and all of a sudden my hompage is restored and ad aware seems to think my laptops clean? i am relieved i have internet access once more but am doubtful to just how clean my laptop realy is...how do you recomend i find out and make sure it is

better late than never
thanks
griogair

[Griogair]

also...if you reply to this and do not hear from me quickly please assume that i hav encounterd the same block of sites as before...if so,could you please contact me on: griogair@stewart9920.freeserve.co.uk if its not too much hastle..thanks once again
griogair