Hijacked browser

Discussion in 'adware, spyware & hijack cleaning' started by rebirth, May 3, 2004.

Thread Status:
Not open for further replies.
  1. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    Umm first off im new to this forum
    then i explain my problem right?
    well im sry if im not doin this correctly but
    heres da problem:
    a week or 2 ago i think
    my browser got hijacked
    i couldnt access my internet options through internet browser like how i normally do
    then i cant change my homepage by the internet option menu through rightclick icon on destop
    so i searched online and found this site and it told me to go run regedit
    then find all this stuff and change the homepage
    i was glad it worked
    till i reboot and the problem started again
    but this time instead of goin to searchexe.com or allaboutsearching.com
    it linked to google but it went through one of their links 1st
    so i went to help on their websites
    and i dl the program to remove the toolbar i got from this popup
    but the tool bar is still there
    and wen i click view in my browser and toolbars the toolbar name is boltlitehole

    i have no clue or any idea on how to fix this nor do i have money to spend on spyware removers and i ran ad-aware and spybot search and destroy too

    so please help me
    i would greatly appreciate it
    thnks for taking your time to read this and thankyou more if you have a way to solve this problem
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi rebirth :)

    Welcome to Wilders.

    Please follow the instructions at this link,

    https://www.wilderssecurity.com/showthread.php?t=15913

    then post yout HijackThis log in this thread and one of the experts will give u recommendations on any Malware found.

    EDIT- since u already ran Ad-aware and Spybot just follow step#2.

    snowbound
     
  3. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    thnks snowball for telling me how to post a log and how to ask for help

    Logfile of HijackThis v1.97.7
    Scan saved at 6:07:35 PM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\IDOLOW~1\Sect roam.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Edmond\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchexe.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://allaboutsearching.com/passthrough/index.html?http://www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: boltlitehole - {DEA0183B-4117-562F-7FDD-235B05C15479} - C:\PROGRA~1\STOREG~1\free memo.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Each Wave] C:\PROGRA~1\IDOLOW~1\Sect roam.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/238a67476e8635a36c02/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    i hope sum1 can help me THANK YOU
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Good job rebirth :)

    Just be patient as most of the HijackThis experts live in different timezones so u may want to check back periodically for new posts and recommendations. ;)


    snowbound
     
  5. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    thnks foh da tip
    i can feel it that sum1 is about to help me
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rebirth,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchexe.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://allaboutsearching.com/passthrough/index.html?http://www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: boltlitehole - {DEA0183B-4117-562F-7FDD-235B05C15479} - C:\PROGRA~1\STOREG~1\free memo.dll

    O4 - HKLM\..\Run: [Each Wave] C:\PROGRA~1\IDOLOW~1\Sect roam.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/238a67476e8635a36c02/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\PROGRA~1\STOREG~1 <= entire folder that holds free memo.dll
    C:\PROGRA~1\IDOLOW~1 <= entire folder that holds Sect roam.exe

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Regards,

    Pieter
     
  7. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    THANK YOU thnk foh helping me i gonna try it right after school cuz im in school right now thnks man
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure. Keep us posted. :)

    Regards,

    Pieter
     
  9. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    well to start things off on keeping you guys posted
    i have encounter another problem

    this time i have no idea what it is but i cant use anythin that connects to the internet in order to fully use the program. also im connection through lan
    the cables are secured and not loose also i plugged them in correctly.
    Also i fohgot to say im the host for lan and my sister is the branch im typing this on my sister computer. the internet works for my sister but not foh me.
    wen i view in network connections its fine it is regular and it says connected but wen i clicked repair it say something about my ip i cant recall because me and sister have rooms in the other ends of the house. so this is the situtation do you guys think there is a way to solve this problem or do u need more info to help me? ty to all hoo read this and im not sure if i should make a new topic concerning this.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  11. rebirth

    rebirth Registered Member

    Joined:
    May 3, 2004
    Posts:
    16
    thnks man im gonna try right now after i save to floppy

    thnks it worked im not sure if i can double post or not so i edit this message
     
    Last edited: May 5, 2004
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.