cactusdr
asked on
IE overtaken
Win200 Pro. Downloaded security updates unattended. After the update were downloaded data continued to be received. Removed multiple Trojans and viruses. Only thing remaining is a browser hijacker. Have executed Hijack This, Spywareguard and every other BHO tool possible. Listed below is part of the Hijack This log file. I've been the registry and deleted only to have them loaded again.
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
I cannot get rid of this IE specific hijacker. HELP.
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
I cannot get rid of this IE specific hijacker. HELP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm getting ready to go at it with the above advice. What was said made me think that I should give you some infor on what I previously repaired. After the update, when I tried to restart, the system got hung. Opened task Manager and the explorer.exe CPU reading was at 99. Ended the process and manually ran explorer.exe. Loading continued. Installed another spyware app and restarted. Did the same thing but would not rerun explorer.exe. Task Manger had 4 instances of a program....wuam.exe. Ended the 4 and loading coninued WITH explorer.exe running. Deleted that program and it has worked since. Does this add to the story or confirm your advice? Thanks!
waum.exe is a virus known as W32/Rbot-M
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run\
Microsoft Update Time=wuam.exe
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es\
Microsoft Update Time=wuam.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft \Windows\
CurrentVersion\Run\Microso ft Update Time=wuam.exe.
and delete it if it exists.
Close the registry editor and reboot your computer.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Wi
Microsoft Update Time=wuam.exe
HKLM\Software\Microsoft\Wi
Microsoft Update Time=wuam.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft
CurrentVersion\Run\Microso
and delete it if it exists.
Close the registry editor and reboot your computer.
At this point, it should be said that if you didn't already, you should disable system restore for the time being -- If you do not, the virus will only propegate into that reserved area of the system, and further infect the hard drive once it has been cleaned from the partition. Do disable system restore in windows XP, do the following:
1)Click Start > Programs > Accessories > Windows Explorer
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Check the "Turn off System Restore" or "Turn off System Restore on all drives"
5)Click Apply. A confirmation window will appear As noted in the message, this will delete all existing restore points. Click Yes to do this.
6)Click OK.
7)Restart Machine --
To turn on Windows XP System Restore
1)Click Start.
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
5)Click Apply, and then click OK.
Also to add to my above post I found the following
W32/Rbot-M is a worm which attempts to spread to remote network shares.
W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-M spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.
When W32/Rbot-M is run it copies itself to the Windows system folder with the
filename wuam.exe and deletes the original copy if that filename was wuam.exe.
In order to run automatically when Windows starts up W32/Rbot-M creates the
following registry entries:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run\
Microsoft Update Time=wuam.exe
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es\
Microsoft Update Time=wuam.exe
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run\
Microsoft Update Time=wuam.exe.
W32/Rbot-M attempts to contact the host babe.thekiller.biz.
1)Click Start > Programs > Accessories > Windows Explorer
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Check the "Turn off System Restore" or "Turn off System Restore on all drives"
5)Click Apply. A confirmation window will appear As noted in the message, this will delete all existing restore points. Click Yes to do this.
6)Click OK.
7)Restart Machine --
To turn on Windows XP System Restore
1)Click Start.
2)Right-click My Computer, and then click Properties.
3)Click the System Restore tab.
4)Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
5)Click Apply, and then click OK.
Also to add to my above post I found the following
W32/Rbot-M is a worm which attempts to spread to remote network shares.
W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-M spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.
When W32/Rbot-M is run it copies itself to the Windows system folder with the
filename wuam.exe and deletes the original copy if that filename was wuam.exe.
In order to run automatically when Windows starts up W32/Rbot-M creates the
following registry entries:
HKLM\Software\Microsoft\Wi
Microsoft Update Time=wuam.exe
HKLM\Software\Microsoft\Wi
Microsoft Update Time=wuam.exe
HKCU\Software\Microsoft\Wi
Microsoft Update Time=wuam.exe.
W32/Rbot-M attempts to contact the host babe.thekiller.biz.
whoops -- just noted that it was 2k Pro...for some reason I was thinking XP -- irregardless, the above notes should be helpful, and a start on the bigger issue here.
ASKER
I don't think Win2000 Pro has System Restore
ASKER
Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.
>>I don't think win2000 Pro has system restore<<
Your correct -- it doesn't; That's why I posted my retract above: Date: 08/08/2004 10:52AM EDT
>>Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.<<
Glad to hear you got that straightened out.
Still try running the apps I suggested in safemode...reboot, and post the HT log.
Your correct -- it doesn't; That's why I posted my retract above: Date: 08/08/2004 10:52AM EDT
>>Sorry for the post. I've got a great program called Restistry Crawler. I ran it last night and deleted every instance of wuam.exe.<<
Glad to hear you got that straightened out.
Still try running the apps I suggested in safemode...reboot, and post the HT log.
ASKER
Getting ready to shut it down and restart. Until then, here's the entire HT log:
Logfile of HijackThis v1.97.7
Scan saved at 8:17:48 AM, on 8/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\PROGRA~1\Grisoft\AVG6\a vgserv.exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\stisvc.e xe
C:\WINNT\system32\ZoneLabs \vsmon.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe
C:\Program Files\mFire Accelerator\mfireaccel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain. exe
C:\Program Files\mFire\dialer.exe
C:\WINNT\system32\NOTEPAD. EXE
C:\DOCUME~1\mb\LOCALS~1\Te mp\7zOp68B 8\shexview .exe
E:\Program Files\Maxthon\Maxthon.exe
D:\Protection\HijackThis\H ijackThis. exe
D:\Protection\HijackThis\H ijackThis. exe
R1 - HKCU\Software\Microsoft\In ternet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = ;*windowsupdate.microsoft. com;*windo wsupdate.c om;downloa d.microsof t.com;code cs.microso ft.com;act ivex.micro soft.com
R1 - HKCU\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F 075BEDE5EB 5} - C:\Program Files\mFire Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FF1BF4C7-4E08-4A28-A43F-9 D60A9F7A88 0} - C:\WINNT\System32\mshelper .dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-0 0000000000 0} - C:\PROGRA~1\STARDO~1\SDIEI nt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Registry Crawler] E:\PROGRA~1\RCrawler\RCraw ler.exe -TRAYONLY
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain. exe
O4 - Global Startup: mFire Accelerator Client.lnk = C:\Program Files\mFire Accelerator\mfireaccel.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\mFire Accelerator\mfireaccel.exe /250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\mFire Accelerator\mfireaccel.exe /227
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl sp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl sp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl sp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl sp.dll
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\T cpip\..\{1 886DBB9-B4 6F-4A2E-86 E8-E5A2296 800FF}: NameServer = 209.244.0.3 209.244.0.4
FYI: mfire is an internet accelerator that's been on the system a long time.
Logfile of HijackThis v1.97.7
Scan saved at 8:17:48 AM, on 8/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINNT\System32\svchost.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\stisvc.e
C:\WINNT\system32\ZoneLabs
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\mFire Accelerator\mfireaccel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\mFire\dialer.exe
C:\WINNT\system32\NOTEPAD.
C:\DOCUME~1\mb\LOCALS~1\Te
E:\Program Files\Maxthon\Maxthon.exe
D:\Protection\HijackThis\H
D:\Protection\HijackThis\H
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {FF1BF4C7-4E08-4A28-A43F-9
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - HKLM\..\Run: [Registry Crawler] E:\PROGRA~1\RCrawler\RCraw
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: mFire Accelerator Client.lnk = C:\Program Files\mFire Accelerator\mfireaccel.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\mFire Accelerator\mfireaccel.exe
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\mFire Accelerator\mfireaccel.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl
O10 - Unknown file in Winsock LSP: c:\progra~1\mfirea~1\slipl
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\T
FYI: mfire is an internet accelerator that's been on the system a long time.
I'd remove all of this:
R1 - HKCU\Software\Microsoft\In ternet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = ;*windowsupdate.microsoft. com;*windo wsupdate.c om;downloa d.microsof t.com;code cs.microso ft.com;act ivex.micro soft.com
R1 - HKCU\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\T cpip\..\{1 886DBB9-B4 6F-4A2E-86 E8-E5A2296 800FF}: NameServer = 209.244.0.3 209.244.0.4
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O13 - DefaultPrefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - WWW Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Home Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O13 - Mosaic Prefix: http://%6C%66%6E%6D%63%6A%77%2E%62%69%7A?u=1526&error=
O17 - HKLM\System\CCS\Services\T
Also, make sure you delete all the files out of your recycle bin, and do the following:
go to START>Run
type CMD press enter
when the window opens up make sure you are at C:\ if not use cd.. to get there, and then:
type DEL *.tmp /s [there are spaces between the del and * and also between tmp and /s]
This will delete all temp files on the harddrive -- Also, I never noticed, did you run the scans in safemode?
go to START>Run
type CMD press enter
when the window opens up make sure you are at C:\ if not use cd.. to get there, and then:
type DEL *.tmp /s [there are spaces between the del and * and also between tmp and /s]
This will delete all temp files on the harddrive -- Also, I never noticed, did you run the scans in safemode?
ASKER
munkyxct----You da man!!!!!!!
I cleared the recycle bin then started in Safe Mode. Ran CWS and Ad-Aware. Instead of perm. deleting the items found in CWS, I sent them to the Recycle Bin so that I could view the contents after normal restart. Ran HT after CWS and A-A and the guilty entries still appeared. Ran CWS again and nothing was found. Ran HT and all the entries were gone. Restarted normally and checked the Recycle Bin. The following files were in the Bin:
mshelper.dll (C:\WINNT\System32)
mtwcnl32.dll (C:\WINNT\System32)
Readme (C:\Program Files\Internet Explorer)
Cleared the Bin and ran the CMD as you stated. Can't delete one File as it's 'in use'. Opened Internet Options and the home page was 'Blank'. Bingo.
Before I give the points, would you briefly explain to me why Safe Mode? I ran CWS, Ad-Aware and Hijack This while running normally but the entries ALWAYS propogated. Why?
I cleared the recycle bin then started in Safe Mode. Ran CWS and Ad-Aware. Instead of perm. deleting the items found in CWS, I sent them to the Recycle Bin so that I could view the contents after normal restart. Ran HT after CWS and A-A and the guilty entries still appeared. Ran CWS again and nothing was found. Ran HT and all the entries were gone. Restarted normally and checked the Recycle Bin. The following files were in the Bin:
mshelper.dll (C:\WINNT\System32)
mtwcnl32.dll (C:\WINNT\System32)
Readme (C:\Program Files\Internet Explorer)
Cleared the Bin and ran the CMD as you stated. Can't delete one File as it's 'in use'. Opened Internet Options and the home page was 'Blank'. Bingo.
Before I give the points, would you briefly explain to me why Safe Mode? I ran CWS, Ad-Aware and Hijack This while running normally but the entries ALWAYS propogated. Why?
>>would you briefly explain to me why Safe Mode?<<
Sure, safemode is a diagnostic boot sequence loaded into windows operating systems -- When you boot into safemode, only the bare essential items are loaded, meaning only files that windows needs to startup, nothing else - It is an extremely powerful tool when dealing with adware/spyware because these applications exploit security flaws in the system, and make it look like they are system processes therefore, the spyware removal tools cannot remove them, since they look like a system process [which is looks makes it look like the system would become unstable if they were removed] therefore they are not removed during a scan when the machine is booted normally. When you start in safemode, these services/processes do not startup since windows say 'I don't need these files to boot' when the spyware removal tool is run, it will recognize the file name, or applicatioin as not required by windows; therefore allowing you to remove the files. Ok, I hope that better explains 'why safemode' but more inportantly, I'm glad I was able to help get your PC back up and running. anything else, just ask.
Sure, safemode is a diagnostic boot sequence loaded into windows operating systems -- When you boot into safemode, only the bare essential items are loaded, meaning only files that windows needs to startup, nothing else - It is an extremely powerful tool when dealing with adware/spyware because these applications exploit security flaws in the system, and make it look like they are system processes therefore, the spyware removal tools cannot remove them, since they look like a system process [which is looks makes it look like the system would become unstable if they were removed] therefore they are not removed during a scan when the machine is booted normally. When you start in safemode, these services/processes do not startup since windows say 'I don't need these files to boot' when the spyware removal tool is run, it will recognize the file name, or applicatioin as not required by windows; therefore allowing you to remove the files. Ok, I hope that better explains 'why safemode' but more inportantly, I'm glad I was able to help get your PC back up and running. anything else, just ask.
To find out the problematic file, download Sysinternal's Registry Monitor ( http://www.sysinternals.com/ntw2k/source/regmon.shtml ), and set it up to monitor the hijacked registry keys. It will catch the process that causes the key's change.
Likely it will be explorer.exe, since today's spywares install themselves as shell extenison, making the shell itself do the dirty job.
In this case you need to review all the installed shell extensions. Crawling trought the registry is one way, but I recommend using this tool: http://www.snapfiles.com/get/shellexview.html