Solved

Browser Hijacker

Posted on 2004-10-12
14
724 Views
Last Modified: 2010-04-11
Logfile of HijackThis v1.97.7
Scan saved at 12:26:41 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\logon.scr
G:\Download\SpywareBlockers\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


It doesn't hijack the page but it fills my adwatch log... Adwatch uses 34 -40% of CPU.

I have tried the fixes from the following URL
http://www.experts-exchange.com/Security/Q_21068233.html
the registry name change of windows directory doesn't help... when i change the name back... the appinit_dlls comes back in windows directory
0
Comment
Question by:jibranilyas
  • 7
  • 6
14 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 380 total points
ID: 12289583
Hello jibranilyas =)

U are using the old version of hijackthis, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)
0
 

Author Comment

by:jibranilyas
ID: 12289588
I get many of the following events in my adwatch log

10/12/2004 12:25:12 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
New Data:
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12289676
yeha jibran, i can understand the problems :)
Try the above suggestion, and post back if u will still have problems =)

PS. I forgot to attach the link for About:Buster >> http://www.atribune.org/downloads/AboutBuster.zip
use this tool also among the above four tools in safemode to get rid of everything they detect :)
0
 

Author Comment

by:jibranilyas
ID: 12289854
alrighty i will try that like a good boy..

there has to be one program that takes that out... i wasn't gonna go for the repitition of these program when i know that the problem is in that REGISTRY key of

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

this one keeps coming back. also, in the hijackthis log... the entries of temp/sp.html keeps coming back... even after a second of removal. There are no files in TEMP directory of the user account or c:/windows/temp  I deleted that from safe mode this morning...

It is just that the registry values coming back...

i will post my new log anyway..


Logfile of HijackThis v1.98.2
Scan saved at 12:38:11 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\logon.scr
G:\Download\SpywareBlockers\hijackthis\HijackThis New.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: System - {0BC11B87-82F0-47AF-9029-27DDE1B087AF} - C:\WINDOWS\system32\system32.dll (file missing)

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12289946
hmmmm i cannot see any entry for AppInit_DLLs in ur LOG,,,, but if u are sure that it has a fake value which is coming back, then here is the way to overcome this problem !!

goto Start>Run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

in the right pane u will find a AppInit_DLLs entry, and when u right click it and choose Modify, under the Value data, u will see the above file !!!!

and what u need is just to remove it from there to get rid of this message !!!!
for this restart ur system in SAFEMODE, login as Administrator if XP, and follow these instructions carefully !!!!!

=====================================================================================
The key to removing this problem is the registry key called

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 *(and the other tools also)* to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
======================================================================================
ref >> http://www.lavasoftsupport.com/index.php?showtopic=32685

check if u can get rid of its value this way or not ??
0
 
LVL 15

Assisted Solution

by:greyknight17
greyknight17 earned 120 total points
ID: 12290221
You will also need to fix the R0/R1 entry.

Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should not have any open browsers when you are following the procedures below.

Download [url=http://www.greyknight17.com/spy/FixAgent.zip]FixAgent[/url] and unzip it.  Run FixAgent.exe.  It should fix something.  If [b]nothing[/b] is fixed, skip to the next step for the HijackThis fixes.  If something is found, also download [url=http://www.greyknight17.com/spy/home_missing_114.zip]home_missing_114[/url] and unzip it.  Run the Home winkey missing batch file.  Remember: only do this if FixAgent found something.

1. Download Registrar Lite (http://www.resplendence.com/download/reglite.exe) and install it.
2. Copy and paste the follow text into the address bar and hit Go:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3. Click AppInit_DLLs in the right pane. If the bottom text field named 'Value' contains a .dll file, then this is the hostile hidden file.  Write down the Windows folder path and name of the .dll file.  If it doesn't have anything in the 'Value' field, you may skip this step.
4. Go to the left pane and rename the Windows folder (highlighted as a blue folder) to Windows2.
5. Go to the right pane and double-click AppInit_DLLs and clear the 'Value' field containing the .dll and click Ok. This should remove the .dll file.
6. Go to the left pane and rename Windows2 back to Windows.

Make sure to close any open browsers.  Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tomd\LOCALS~1\Temp\sp.html
O21 - SSODL: System - {0BC11B87-82F0-47AF-9029-27DDE1B087AF} - C:\WINDOWS\system32\system32.dll (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\system32.dll

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the anti-spyware section (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.
0
 

Author Comment

by:jibranilyas
ID: 12290668
Thanks guys,, i will try all that as soon as i can access that PC..

I can remote into that pc, but can't go to safe mode from my pc..
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12290735
hmmmmm then goto Start>Run>msconfig>Startup
and disable all applications except the Antivirus and Firewall entries
restart and then start cleaning ur system :)
0
 

Author Comment

by:jibranilyas
ID: 12291215
No ADS found on system
Removed! : C:\WINDOWS\System32\sqlgg.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!


that was my log of about buster...

took the entries out of hijack this for all sp.html....
removed the AppInit_DLLs entry from registry and restarted computer....

ran hijack this and now those four entries are gone...

On a sidenote...
that appInit asked permission from my adwatch to get in... i hit "BLOCK" but now that i see it in the registry , it is there..
Do you guys think that it is a system entry.... only if there is a DLL in the VALUE field,,,,it creates a problem...????
I hope this is right ...
No matter how many times you changes the name of the windows folder, it comes back... If you delete it when windows folder is names windows2, then it creates a folder called windows and puts itself in it... and then when u try to rename the windows2 folder to windows,,, registry gives you the error saying "windows" already exists.

Anyway, i think i am all set... Thanks guys
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12291265
what is the value,,,, tell me the file name which is inserted in it ?
coz by default its value data is always set as blank !!
0
 

Author Comment

by:jibranilyas
ID: 12291881
The value is blank....

and it was blank before about buster found sqlgg.dll
Refreshing the registry would bring that Reg key back...
I didn't have the AppInit_DLL entry in hijackthis since yesterday... so i was wondering if it is a spooky file after all...
I saw the file in my other pc too ...so i guess that is only dangerous if it has a value in it... of a dll file..

No ADS found on system
Removed! : C:\WINDOWS\System32\sqlgg.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12291905
so if its blank then its ok na yaar :)
and what abt ur other problems...... gone or still bugging u ;-)
0
 

Author Comment

by:jibranilyas
ID: 12291969
hehe

ya i m happy now....i just can't sleep well if there is even a little of it in my registry..

thankyou for giving me peace :-)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12291996
>> i just can't sleep well if there is even a little of it in my registry..

hahaha... and i cannot sleep if my computer is all OK and i have no problem to think of !! ;-)
Cheers ^_^
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now