Problem with laptop...please help!

Discussion in 'adware, spyware & hijack cleaning' started by Panagiota, May 2, 2004.

Thread Status:
Not open for further replies.
  1. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    I am facing numerus problems with my laptop.
    First I cannot change the home page of internet explorer. It stack on about:blank and a search.html appears all the time.
    Second, the speed became really low and new internet pages are opening with great difficulty.
    I followed your instructions that you gave for a similar problem and I downloaded the Spybot S&D and run it. There are many items and I press the fix button and the program deleted them.
    Then I downloaded the HijackThis and I run it and I saved the log and I am sending it to you for reviewing (see attachment).
    I have no experience with software/programing but my work is relate to the computer and I feel helpless.
    Any help will be great.
    Thank you in advance.
    Panagiota

    Logfile of HijackThis v1.97.7
    Scan saved at 10:17:38 PM, on 5/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\vaio\My Documents\My Received Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp2.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Google-test
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A37A04CE-3AA0-48CB-AD4D-C8C36EEEFD50} - C:\WINDOWS\System32\jlgihba.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{87E1B83C-D57D-4F36-8B13-425DAEDA6B56}: NameServer = 151.197.0.39 151.197.0.38
     
    Last edited by a moderator: May 2, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Panagiota,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp2.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {A37A04CE-3AA0-48CB-AD4D-C8C36EEEFD50} - C:\WINDOWS\System32\jlgihba.dll

    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"

    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

    If you have not paid for the Enigma Software please uninstall it.

    The next tihing you would need to do is update Windows and IE or our efforts will be futile.

    Then reboot and go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply

    Regards,

    Pieter
     
  3. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    Thank you a lot for your help...

    I did what you told me but the log.txt file shows an error. Is this what you are looking for? (I am attaching the log file).

    Thank you again for your valuable help.

    Panagiota
     

    Attached Files:

  4. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    Also...

    I run the hijackthis twice because some of the items that I deleted were still there. I am sending you also the new hijackthis log file.

    thank you
    p
     

    Attached Files:

  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Panagiota,

    Download: "CopyLock" and unzip:
    http://www10.brinkster.com/expl0iter/freeatlast/CopyLock.zip

    set up these options:
    -Check- 'Show Source paths'
    -Check: 'Allow Downgrade'

    Click the 'Add' tab->'Files to rename'
    In the 'Look in..' Dialogue box navigate to your
    C:\WINDOWS\System32 directory and stop there!
    (*you will not see the file!)
    Copy and paste into the 'File name' field:
    WINC.DLL
    Hit ->Add.
    In the result (destination) erase entire output (copy of...) and
    paste this, instead:
    WINC.DLX
    Hit 'ok' (On warning of different extension as well)
    and on the main box hit the->'Apply' tab
    **You will be asked to restart computer!
    Do so right away, next--
    navigate to System32 and delete the "WINC.DLX"
    file, as it'll be visible!

    ***ATTENTION***
    If you get "file not found" error during the process, that
    means it will not work.

    Then fix these items in your HijackThis log:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlgihba.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {6F282DF0-4F1A-4FE8-8B79-883C429F1802} - C:\WINDOWS\System32\jlgihba.dll

    and download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Regards,

    Pieter
     
  6. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    Thank you so much for your help.

    The problem solved!! It worked (I deleted the R1s and then I run the cwshredder).

    Then I downladed and installed the Microsoft Service Pack 1a for future preventions but the problem appeared again. I did what you instructed me again and the system is now clean but I dont know what to do to make my system safer and not facing the same security problem again.

    What do you recomend?

    Now the computer is much faster than before.

    Additionally, when I downloaded the MService Pack the system disabled the yamaha sound card - for some reason it said it created problems with the Windows and now I do not have any sound!

    Any help will be great!

    Thank you again.

    Panagiota
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good job.

    General instructions for protection:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Extra for this particular recurring hijack:
    these cws hijackers comes back normally and we are still working on ways to kill them off permanently. What works for some doesn't work for others, but some get rid of it fairly easily.
    A workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm and block these ranges of IP addresses, both incoming and outgoing 213.159.117.0-213.159.118.255, 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 both TCP & UDP
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help with many versions of the cws pest. The problem with this approach is that some good sites might also be blocked.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.