Home Page Hijacked, Global Dialers, Favorites Deleted

Discussion in 'adware, spyware & hijack cleaning' started by Mike360000, Jan 5, 2004.

Thread Status:
Not open for further replies.
  1. Mike360000

    Mike360000 Guest

    Hello All,

    I hope I am posting this to the right forum and thread. If not please excuse my ignorance, and correct the post.

    Anyhow to cut to the chase I have a big problem with a friend's computer concerning these hijacking programs. So far I have installed; McAfee, Ad-Aware6, Spybot S&D, SpyWareBlaster, SpyWareGuard, Xcleaner and Stop the Pop. And I have tried to manually edit over the files also. (ALL updates installed.)

    With WinXP I am still getting the IE Favorites hijacked, having all the important saved web links deleted and then replaced with dozens of links like the following:

    (I don't recommend clicking on the links.)
    hxxp://young-erotic.com/
    hxxp://80pictures.com/
    hxxp://60pictures.com/
    (Substitute other numbers in place of 80 and 60 for more links)
    hxxp://top-teen-sex.com/
    hxxp://searchlolitas.com/

    for security reasons, hxxp has replaced the original http - paul

    Now at the same time the homepage is deleted and replaced with with that says something similar to: -http:aboutblank.com/- Also I seem to remember one that says something about coolbits.

    And in another area which doesn’t appear as closely related to the above, my friends are getting global dialers installed on their computers and I can’t keep them off. They seem to be specific to one set of dialers
    that continueally expands themselves. It says something about in the icon about “tone” with the icon having a yellow circle with triangles around it, which appears to represent the sun.

    And this appears on the desktop, as had other similar links, PLUS links for Diet Pills, buy health insurance, buy life insurance, auto insurance, etc……… all of which is only a link to a website.That is all the information
    I can get when checking out the Properties.

    I can spend the time to manually delete these dialers and icons, which actually takes quiet a bit of time, but they come back in a matter of hours or a couple of days at most.

    I am at my wits end. I know nothing else to do but write here.
    If anyone has any ideas please let me know.

    Thank You,
    Mike
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Mike360000,

    Can you please download and run HijackThis from

    http://www.mjc1.com/files/merijn/hijackthis.zip

    and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

    Thanks
     
  3. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Ok will do!
    However I have just cleaned the computer today.
    So maybe tomorrow I can go back and run the program on it, giving it time to hijack everything again.

    Looks like I am learning a lot about all this. But gee I've been into computers since the mid 80s and I have never, ever seen anything like what is going on now with viruses, trojans, parasites, hijackers, spam and such. I never would have dreamed this 15 years ago, nor even 10!

    I'll get back with you ASAP.

    I'll admit, it's quiet a challenge.

    Thanks,
    Mike
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey Mike :)

    Welcome to Wilders!

    Actually, if your issues keep recurring after each clean, then that presupposes the fact that there are some items that the "clean" did not take care of and these should be evident in the HJT log now even if the symptoms have not yet manifested themselves again.

    I agree completely with you that the malware front poses incredible challenges, but that is what (to me) makes it so interesting a field of study.
     
  5. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Thanks for the welcome.
    This is certainly different from the forums I'm used to.
    I mostly stay in the overclocking forums, and video card forums.

    About what you wrote concerning the log showing evidence.
    Do you mean by running the program, it will show the needed information even if I have manually removed the offending files and links just before I run the program? That it doesn't matter about when I cleaned the files as long as they continue to show up short times later?

    I worked for almost 5 hours today trying to get that computer clean. It is the worst case of infestation I have ever seen.

    What I don't understand is how these people can get away with being allowed to do this over the Internet? I mean really, it is an invasion of privacy. It is one thing for a website or some program to have such and state it, but all this stuff that just floats through cyberspace looking for victims is another. I'd like to see somebody yang their change the same way sometime!

    Also I wonder if there is really that much money to be gained in them doing this? Surely there must be since it is so prevailent, but I don't see how there can be so many ignorant people to buy into their way of hijacking your computer to sell you something.

    Surely their will eventually be laws to stop this madness?

    Cheers, and Thanks again,
    Mike

     
  6. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    BTW on a side note:
    I am wondering since I haven't ever used this much anti spam, trojan, parasite and hijacking programs before, but I keep on getting a message that Spybot S&D has blocked "Avenue A Inc." Now this has me me puzzled because I get this Avenue A all the time. I can get it at practically any website I go to. So what's the scoop on Avenue A?

    Cheers,
    Mike
     
  7. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    OK here it is.
    One problem though.
    At this time the computer this was run on is unable to update WinXP.
    So do what you can.

    Here is the offender from below:

    Autorun entries from Registry:
    sws.exe = c:\program files\GlobalDialer\tonex00233\svchost.exe -remove

    I have removed this several different ways, but to no avail.
    Matter of fact I just got through running CWShredder on it and it said the system was clean just before I ran Hijackthis.

    Thanks,
    Mike


    StartupList report, 1/6/2004, 3:01:09 PM
    StartupList version: 1.52
    Started from : C:\1XP\HijackThis\hijackthis\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Touchpad\Gesture.exe
    C:\WINNT\System32\taskswitch.exe
    C:\WINNT\System32\fast.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    C:\WINNT\System32\glidew32.exe
    C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\SpywareGuard\spywareguardcp.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
    C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
    C:\WINNT\System32\Fast.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINNT\explorer.exe
    C:\WINNT\System32\rasautou.exe
    C:\1XP\HijackThis\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Lee Kiser\Start Menu\Programs\Startup]
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
    SoundMan = SOUNDMAN.EXE
    CirqueGesture = C:\Program Files\Touchpad\Gesture.exe
    CoolSwitch = C:\WINNT\System32\taskswitch.exe
    FastUser = C:\WINNT\System32\fast.exe
    MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    Glide = glidew32.exe
    TangoManager = C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
    sureshotpopupkiller = "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    sws.exe = c:\program files\GlobalDialer\tonex00233\svchost.exe -remove

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\OBROTH~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL - {00000185-C745-43D2-44F1-01A1C789C738}
    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Microsoft Excel - (no file) - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}
    (no name) - (no file) - {689E84CC-9549-4003-9B0F-2F807CF71FCC}
    (no name) - C:\WINNT\hh.dll - {BCF96FB4-5F1B-497B-AECC-910304A55011}
    (no name) - (no file) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    McAfee.com Update Check (LEE-Administrator).job
    McAfee.com Update Check (LEE-Brenda).job
    McAfee.com Update Check (LEE-Lee Kiser).job
    McAfee.com Update Check (LEE-Matthew).job

    --------------------------------------------------

    Enumerating Download Program Files:

    [YInstStarter Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [McAfee.com Operating System Class]
    InProcServer32 = C:\WINNT\System32\mcinsctl.dll
    CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.5521643519

    [YahooYMailTo Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: C:\WINNT\System32\stobject.dll
    PostBootReminder: C:\WINNT\system32\SHELL32.dll
    CDBurn: C:\WINNT\system32\SHELL32.dll

    --------------------------------------------------
    End of report, 6,479 bytes

     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Mike360000,

    What you posted is a StartUpList, we will need a HijackThis log made like this:
    Run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.

    We can see what's wrong with the StartUpList, but it offers no means to correct it. HijackThis does.

    Regards,

    Pieter
     
  9. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Oooops, sorry about that.
    I'll try this again.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:54:04 PM, on 1/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Touchpad\Gesture.exe
    C:\WINNT\System32\taskswitch.exe
    C:\WINNT\System32\fast.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINNT\System32\glidew32.exe
    C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\SpywareGuard\spywareguardcp.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
    C:\WINNT\System32\Fast.exe
    C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\WINNT\explorer.exe
    C:\1XP\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.inf/?id=54
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - (no file)
    O2 - BHO: (no name) - {689E84CC-9549-4003-9B0F-2F807CF71FCC} - (no file)
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [Glide] glidew32.exe
    O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.5521643519
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C02DC1FD-417E-438D-BAC2-811B66750A6C}: NameServer = 166.102.165.11 166.102.165.13

    Thanks,
    Mike


     
  10. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Mike,

    Can you first make sure all hidden files and folders are set to show :

    Here's how

    Then , navigate to :

    C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL <- and send me this file -> [unzy @ wilders.org] Thanks!

    Next, can you try fixing the following with HijackThis :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.inf/?id=54
    R3 - URLSearchHook: (no name) - - (no file)

    O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL
    O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - (no file)
    O2 - BHO: (no name) - {689E84CC-9549-4003-9B0F-2F807CF71FCC} - (no file)
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

    Reboot after doing so and make sure you update XP to the latest service pack (SP1) and that you have the latest version + updates of IE as well, at windowsupdate.com

    Also make sure to clean out your temporary internet files

    Hope this helps,

    Keep us posted

    Cheers,
     
  11. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Hi Unzy,
    OK I have everything done but I have a question about one of the keys.

    "R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com"

    Is the above key important or not? I say this because they are using Yahoo as well as I. I left it for the time being.

    I sent you the file you requested.

    Also as I mentioned in my email; I can't understand why McAfee AV, AdAware6, Spybot S&D, Xcleaner, Spywareblaster nor Spywareguard could not stop this from continueally happening to the computer. Not only that but all of them failed to recognize all the things you said to remove. Any idea as to why they missed all this? I saw and recognized some of the files you mentioned and had removed them yesterday before you posted above this post.

    Thanks,
    Mike
     
  12. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Mike,

    Don't worry about that key, it's harmless.

    About antivirus not stopping these attacks, that's because they aren't of a viral nature. Spyware is usually not detected by AV's

    That BHO you had is a new , unknown one, therefor not detected or blocked by programs as SB or SG. Still puzzling out what exactly it does.

    In fact spybot/adaware must have detected some other ones, because all the (no file) entries are leftovers from previously cleaned malware.

    As for the startpage hijack, spywareguard should have given you a notice at the exact time the hijack happened, offering you a choice to restore old values or keep new one.

    Needless to say of course you should on a frequently basis (let's say at least once a week) update SB and SG, as well as SpyBot and Adaware.

    Is everything ok now?

    Cheers,
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Unzy,

    About that BHO you are looking at. Does this fit the bill?
    http://www.doxdesk.com/parasite/SmartBrowser.html

    The CLSID's are similar and the filename fits.
    Could be a new variant.

    Regards,

    Pieter
     
  14. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    That's exactly it Pieter

    good job

    Cheers,
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I'll add it to the list.

    Good job right back at ya. :)

    Regards,

    Pieter
     
  16. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Hi Unzy,
    Alrighty, so we've gotten somewhere. Everything seems fine so far.
    No more hijacks, but I won't pass on it untill tomorrow.

    I do have some comments though.
    I understand what you say about the McAfee AV. Just I have seen McAfee in use give reports of possible threats on some parasites. NOT that McAfee said it was a virus but a possible threat.

    I agree with Pieter's link also. That fits my problem exactly.
    As for the anti-spyware and hijack programs I am running, I have a question.
    Will this new parasite variant be added to any of the program I listed that I used? I guess I am really wondering which programs I used are taking a look at this forum and this post, and which you may be directly involved with?

    I had personally cleaned out several pieces of spyware/parasites, manually that I knew was wrong. And then of course I will agree the programs I used removed much more of the spyware/parasites...etc..(malware) than I ever could have. The computer was a complete mess when I got to it. I would barely run IE on the net, and even off the net the desktop was getting several Icons advirtising different things. I've spent close to 10 hrs trying to clean this thing.

    There was mention of some yet unidentified installer file that was needed.
    I found a suspicious installer file in the C:\ drive root while manually checking. The file was called icinstaller.exe I ran a check on it but never came up with anything.

    Spywareguard was running but I never received any warnings from it. I wonder why it didn't detect these changes?

    I'm really interested in which anti-spy/malware programs will be integrating the fix for this parasite.

    Thanks again,
    Mike






     
  17. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    As for the first question, a program like SpywareBlaster will take that BHO and clsid into it's database, hopefully thus blocking it from entering your machine in the future.

    As for SpywareGuard, I really don't know why SG did not give you a warning when your homepage was changed. When you say it is running, do you see the red SG icon in the system tray (below right) ?

    Also, esp. for SB it's important you update frequently

    Cheers,
     
  18. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Hi Unzy,

    You asked:
    "As for SpywareGuard, I really don't know why SG did not give you a warning when your homepage was changed. When you say it is running, do you see the red SG icon in the system tray (below right) ?"

    Sure was!
    Did that file file I sent show you anything of help?

    Thanks,
    Mike
     
  19. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Mike,

    Yes that file indeed helped out, thanks :) (as described above.)

    About SG, does it look like this ? :

    (check everything : engine, definitions, version etc...)
     

    Attached Files:

  20. Mike360000

    Mike360000 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    16
    Yes, and it was the most recent version.
    Actually I think there was an update to at the end of December......
    Strange it didn't find the parasite, no?

    Thanks,
    Mike
     
  21. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Let's hope it was a one timer ;)

    Anyway, glad all seems to be well now again :)

    Take care

    Cheers,
     
  22. PumkinHead

    PumkinHead Registered Member

    Joined:
    Jan 9, 2004
    Posts:
    1
    Mike,
    I've been experiencing identical behaviour on my machine, requiring hours of manual cleaning. On Jan 6 you posted..."
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE"
    as a file/directory listing.
    As you can see 'svchost.exe' is listed twice because I believe they're actually two different files (check the sizes). Pressing CTRL/ALT/DEL will show a svchost.exe process using approx 10,000k of memory. Killing this prevents my popups and redirection (on WinXP w\ IE6). (((ALTHOUGH I'M NOT SUGGESTING YOU START KILLING PR0CESSES, ITS SIMPLY SOMETHING I FOUND ON MY MACHINE)))).
    Checking your run key under HKLM or HKCU will list something similar to...."sws.exe=C:\Program Files\...\...\sws.exe -remove" The problem is... I've never found a file named "sws.exe".
    I wonder if spyware or an unknown/unsuspecting file (similar to svchost.exe) is really disguisted as a system file and is constantly "listening" for removal attempts. Possible polling the system every few hours and then replaceing the files/registry entries.
    Global Dialer was being installed into my "C:\Program Files\ GlobalDialer directory. Using the UnInstall pretended to remove it, but since it was in the "C:\Documents\***\Local Settings\Temporary Internet Files" it would reinstall within hours.
    Another one of my many problems was that my homepage was being redirected to "IDGSearch.com". Thankfully they have a link and application that will remove/fix the problem in their "Contact Us" or "Support Page". I hope this helps quite a few people, since it's driving me nuts doing the QA/Testing on it.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi PumkinHead,

    Welcome at Wilders. :)

    A few comments on your approach.

    Why are there multiple instances of svchost.exe running?
    As long as the file is found in the System32 directory I would recommend not to end-task it.

    Removing the GlobalDialer folder in safe mode and getting adequate protection so it can't return, will effectively stop it, after which you can clean out any other leftovers (mostly in the registry).

    IDGsearch is a CWS variant and I would recommend using the tool offered at Merijn's site as opposed to the one provided by the site the hijack leads to.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.