Link to home
Start Free TrialLog in
Avatar of frustrated16
frustrated16

asked on

Another problem - Internet explorer opens on some page - I cannot change the default

In trouble again...

I open internet explorer - and the default page it keeps opening on is::
http://win-eto.com/hp.htm?id=31403

I have tried all the usual spyware - and remove some bugs but none fix this. - I have pasted in the hijackthis log below

It does report the following in the hijack log
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403

But I cannot find this in the registry and when I use hijack to fix, it never seems to do it...

Logfile of HijackThis v1.98.2
Scan saved at 11:01:25, on 09/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\Hummbird\inetd32.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
c:\oracle\bin\agntsrvc.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Novadigm\radexecd.exe
c:\oracle\bin\dbsnmp.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\TNGRCO\RCManClient.exe
C:\WINNT\system32\rcmdsvc.exe
C:\TNGRCO\RCOService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGRCO\rp32u.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\SUSS.EXE
c:\oracle\Apache\jdk\bin\java.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\Tiny Personal Firewall\UmxAgent.exe
C:\Program Files\Tiny Personal Firewall\UmxTray.exe
C:\Program Files\Tiny Personal Firewall\DseCC.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Nokia\Nokia D211\D211STRT.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINNT\system32\dk0puxk8srthd.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SPYWAR~1\PRJSPY~1.EXE
c:\program files\reflection\r2win.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
c:\program files\reflection\r2win.exe
c:\program files\reflection\r2win.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\WINNT\regedit.exe
C:\Documents and Settings\mf_locadm\Desktop\HijackThis.exe
C:\Program Files\JavaSoft\JRE\1.3.1_13\bin\javaw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\V36O5H~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D211STRT.EXE] "d:\Program Files\Nokia\Nokia D211\D211STRT.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\dk0puxk8srthd.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - Global Startup: Anti-Virus&Spyware.lnk = C:\Program Files\Anti-Virus&Spyware\Anti-Virus&Spyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk.disabled
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622DD145-7423-4F50-948F-0CFADA9DD9B3}: NameServer = 10.162.21.10,10.162.21.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
O17 - HKLM\System\CS1\Services\Tcpip\..\{622DD145-7423-4F50-948F-0CFADA9DD9B3}: NameServer = 10.162.21.10,10.162.21.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
O17 - HKLM\System\CS2\Services\Tcpip\..\{622DD145-7423-4F50-948F-0CFADA9DD9B3}: NameServer = 10.162.21.10,10.162.21.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
O18 - Protocol: AxrObjrefStream - {78E7CF7E-D9E0-4122-86E9-ED40A7C9E4C8} - C:\Program Files\Actix\Analyzer\Bin\AxrAccessor.dll
O20 - AppInit_DLLs: x6cyyzvifbzsi7dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image

Post that log at this site >> http://www.hijackthis.de
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
the main problem is that O20 - AppInit_DLLs: x6cyyzvifbzsi7dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll line!!
if after fixing it with the hijackthis..... it returns back again and again... then plzz post back and i will tell you the method to get rid of it :)
Avatar of frustrated16
frustrated16

ASKER

AppInit_DLLs: x6cyyzvifbzsi7dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll line!!

I tried fix this in hijackthis but it keeps returning...
goto Start>Run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

in the right pane u will find a AppInit_DLLs entry, and when u right click it and choose Modify, under the Value data, u will see the above file !!!!

and what u need is just to remove it from there to get rid of this message !!!!
for this restart ur system in SAFEMODE, login as Administrator, and follow these instructions carefully !!!!!

=====================================================================================
The key to removing this problem is the registry key called

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 *(and the other tools also)* to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
======================================================================================
ref >> http://www.lavasoftsupport.com/index.php?showtopic=32685

The latest version of CoolWebShredder takes care of some versions of the hidden DLL hijacker.

Maybe it's worth a try:

http://majorgeeks.com/download4086.html

Download, install and run (clicking FIX).

Zee

Better try the CWShredder version 2.11, just out:

http://cwshredder.net/bin/CWShredder.exe

Zee
sure Cobol =)
Still having no luck..

I tried the cwshredder but no luck - and the registry key doesnt seem to be there at all to remove.

Any other suggestions?
ASKER CERTIFIED SOLUTION
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial