pieter arntz where are you!?!

Discussion in 'privacy problems' started by Griogair, Nov 3, 2004.

Thread Status:
Not open for further replies.
  1. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    this is a pretty strange request,but,a few months back (june 3rd) i had a problem with 'hot_kiss' xxxserver an got help from this guy pieter.

    if your out there pieter could you reply to my post....got a new problem i could realy use ur help with!!

    using both ad aware and spybot these days but this new problem has them both beaten!

    its 'coolwwwsearch' im sure,plus another few. both spybot an ad aware can find it and delete it,but when i repeat the scan the same problems still come up.

    the result of this is my homepage bein replaced with the 'slightly' unwanted...

    res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

    if you could please contact me i would greatly apreciate it, and have a hijackthis log file on standby should you need it.

    regards, griogair.
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Pieter is online now.. he should respond shortly.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  4. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    am afraid a dont think its working....(ahhhhhhh!!)..downloaded shredder...still hapening!

    read the link about hijackthis....who should i send my log to then?

    griogair.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I'll use my rights as a forum expert (*cough*) *puppy*
    Post your log.

    Regards,

    Pieter
     
  6. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    cheers mate! i appreciate it!

    hope you dont mind my asking,but,is the forum run on a purely volinteer basis through people such as yourself? it jst seems generous beyond belief that your doing the same job as many anti-internet-evilness companys sell software for? sorry for bein nosy...was just wondering.
    cheers!
    griogair


    Logfile of HijackThis v1.98.2
    Scan saved at 11:51:09, on 03/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOINTGR.EXE
    C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System\MSMSGSVC.exe
    C:\Program Files\EzButton System V2.1\EzButton.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
    O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.95 195.92.195.94
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Griogair,

    It's even worse. Some of the "anti-internet-evilness companys" are the worst enemies of all the volunteers helping on all the forums around the world.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)

    O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

    Then reboot and run CWShredder once more before you open any IE windows.

    Regards,

    Pieter
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    We'll have to do something else after that so please report back when you are done with a new log.

    Regards,

    Pieter
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Pieter and Griogair,

    I have moved this thread to a more appropriate forum ;) ...
     
  10. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    cool...run hijackthis...got rid of em then ran shredder....wen conected homepage was still the 'evil' one.
    did you say you still had something up your sleave?

    griogair.
     
  11. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    Logfile of HijackThis v1.98.2
    Scan saved at 16:01:07, on 03/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOINTGR.EXE
    C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System\MSMSGSVC.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\EzButton System V2.1\EzButton.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Griogair stewart\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dixons.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
    O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V2.1\EzButton.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{261B93EF-7F52-4F44-919A-6DA024BD257E}: NameServer = 195.92.195.94 195.92.195.95
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Yes. I wanted to know if the dll would be replaced with a good one.
    Obviously it wasn't.

    Fix these lines as well:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

    Then find C:\WINDOWS\System32\dllcache\shdoclc.dll and use it to replace C:\WINDOWS\System32\shdoclc.dll

    The dllcache folder is extremely important so Windows XP hides it. To view it click My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. This will also reveal other hidden system files so be careful!

    Regards,

    Pieter
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  14. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    aarrarrarggggggghhhhhhhh!!!!!!!!!! i had it!!!!! it changed back to my original homepage i know because it set it to freeserve...which is pre wanadoo.....closed internet options and opened internet explorer to find it back.....aaaaaaaaaahhhhhhhhh!!!!! did what the website told me....deleted (??).dll it said and it hapned again!!!!!!


    griogair....ahhhhhhhhhhhhhhh!!!!! :mad: :mad: :mad: :mad: :mad: :mad: :mad:
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Griogair,

    Try this way.

    Close all instances of IE and don't open any until after you rebooted.

    Copy the part in bold below into notepad and save it as hexaway.reg

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{834261E1-DD97-4177-853B-C907E5D5BD6E}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{834261E1-DD97-4177-853B-C907E5D5BD6E}]


    Doubleclick the file you made and confirm you want to merge it with the registry.

    Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
    Select C:\WINDOWS\dpe.dll and reboot your computer when prompted.

    Then run HijackThis again and remove all the CWS lines that are still present (the ones from the previous posts that returned)

    Then you can open IE and in Internet Explorer, click Tools -> Internet Options.
    Click the Programs tab -> Reset Web Settings.

    Keep us posted,

    Pieter
     
  16. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    yesssssss!!!! ive never been hapier to go online!!!!

    you will never believe how strangely my laptops been acting these last few days...then all of a sudden im back onlineo_Oo_O

    when i copied your reply to a notepad so i could read it without accessing ie....i carried out your instructions to no success...i then tried to go online to reply to your post to find that every site i tried to visit had been blocked by another .dll type homepage whos only two options were a search button or a spyware removal button...both of which linked to the same list of pay software....so tonite..sick of a weeks lack of access i tried the same method as before to no success then decided to go to my furthest back restore point...and all of a sudden my hompage is restored and ad aware seems to think my laptops cleano_O? i am relieved i have internet access once more but am doubtful to just how clean my laptop realy is...how do you recomend i find out and make sure it is

    better late than never
    thanks
    griogair
     
  17. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    also...if you reply to this and do not hear from me quickly please assume that i hav encounterd the same block of sites as before...if so,could you please contact me on: griogair@stewart9920.freeserve.co.uk if its not too much hastle..thanks once again
    griogair
     
Thread Status:
Not open for further replies.