Hijacked Browser

**skaterace** · 12-31-2003 07:33 PM

My parents' browser has been hijacked, and they are completely unable to access their browser or do anything online at all (they are on a dial-up connection). I sent them Hijackthis, they ran it, and read me the results over the phone. :? So here they are, and we've tried our best to make it as accurate as possible, but I can't vouch for every capital letter and slash. I hope it's close enough that you can help us. I am sure they have several viruses as well.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSPASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES/GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSYTEM\QTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UPTODATE\EXE
C:\PROGRAM FILES\ clearsearch\loader.exe
C:\PROGRAM FILES\compaq\easy access button support\bttnserv.exe
C:\PROGRAM FILES\intel\intel psncu\cpunumber.exe
C:\PROGRAM FILES\compaq\on-screen display\osd.exe
C:\PROGRAM FILES\microsoft office\winword.exe
C:\WINDOWS\SYSTEM\spoll32.exe
C:\WINDOWS\SYSTEM\ddhlp.exe
C:\WINDOWS\SYSTEM\pstores.exe
C:\WINDOWS\profiles\forsythe family\desktop\hijackthis.exe

R1 - HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER,SEARCHURL = HTTP://SEARCHBAR.FINDTHEWEBSITEYOUNEED.COM/
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH BAR = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH PAGE = http://search.presario.net/scripts/r.../srchredir.dll c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
02 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
02 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
02 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
02 - BHO: Clearsearch - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
Button Support\cpqdeam.exe
04 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
04 - HKLM\..\Run: [LoadQM] loadqm.exe
04 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
04 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
04 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SAHAgent.exe
04 - HKLM\..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -at boot time
04 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
04 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
04 - HKLM\..\Run: [ClrschLoader] \Program Files\ClearSearch\Loader.exe
04 - HKLM\..\Run: [SearchEnhancement] “C:\PROGRAM FILES\SCBAR\V2\SCBAR.EXE” /U
04 - HKLM\..\Run: [winnit] “C:\PROGRA~1\COMMON~Q\ADDRES~1\WINNIT.EXE
04 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
04 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
04 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
04 - HKLM\..\RunServices: [HC Reminder] hc.exe
04 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
04 - HKLM\..\RunServices: [MSDTC] msdtcw -start
04 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.Exe /RUNSERVICES
04 - HKCU\..\Run: [IntelProcNumUtility] “C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe” /nosplash
08 - Extra context menu item: Altavista Home - http://jump.altavista.com/avie5/home
08 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
08 - Extra context menu item: AV Translate This Web Page - http://jump.altavista.com/avie5/search
08 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
08 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
09 - Extra ‘Tools’ menuitem: &AltaVista Home (HKLM)
09 - Extra Button: Translate (HKLM)
09 - Extra ‘Tools’ menuitem: AV &Translate (HKLM)
09 - Extra ‘Tools’ menuitem: &Find Pages Linking to this URL (HKLM)
09 - Extra ‘Tools’ menuitem: Find Other Pages on this &Host (HKLM)
09 - Extra Button: Print Using QuickBooks (HKLM)
010 - Broken Internet access because of LSP provider ‘c:\program files\new.net\new.net4_85.dll’ missing
012 - Plugin four .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
017 - HKLM\System\CCS\Services\VxD\MSTCP Domain = color-country.net
017 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 63.226.125.10

Thanks and Happy New Year!

**skaterace** · 12-31-2003 11:06 PM

Ok, since I haven't gotten any response yet (I understand it is New Years, after all), I went into the tutorials and learned all I could. As far as I can tell, I need to have Hijackthis fix these items:

R1 - HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER,SEARCHURL = HTTP://SEARCHBAR.FINDTHEWEBSITEYOUNEED.COM/
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH BAR = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH PAGE = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
02 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
02 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
02 - BHO: Clearsearch - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
04 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
04 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SAHAgent.exe
04 - HKLM\..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -at boot time
04 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe
04 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
04 - HKLM\..\Run: [ClrschLoader] \Program Files\ClearSearch\Loader.exe
04 - HKLM\..\Run: [SearchEnhancement] “C:\PROGRAM FILES\SCBAR\V2\SCBAR.EXE” /U
04 - HKLM\..\Run: [winnt] “C:\PROGRA~1\COMMON~Q\ADDRES~1\WINNT.EXE
04 - HKLM\..\RunServices: [MSDTC] msdtcw -start
08 - Extra context menu item: Altavista Home - http://jump.altavista.com/avie5/home
08 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
08 - Extra context menu item: AV Translate This Web Page - http://jump.altavista.com/avie5/search
08 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
08 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
09 - Extra Button: Translate (HKLM)
09 - Extra ‘Tools’ menuitem: AV &Translate (HKLM)
09 - Extra ‘Tools’ menuitem: &Find Pages Linking to this URL (HKLM)
09 - Extra ‘Tools’ menuitem: Find Other Pages on this &Host (HKLM)

Wow, that looks like a lot.
Then go to either http://www.cexx.org/lspfix.htm or http://security.kolla.de/ to download a program to fix the O10. Right?
I don't plan on doing anything until I hear from you, so let me know if I'm on the right track.

skaterace

**steamwiz** · 01-01-2004 10:04 AM

Hi

You have put a lot of work into this...it must have taken ages.

This entry tells me that the cause of your problems is because new.net was uninstalled or removed incorrectly from the computer.

010 - Broken Internet access because of LSP provider ‘c:\program files\new.net\new.net4_85.dll’ missing

Make sure you are using hijackthis version 1.97.7 this is important

Go to control panel, add/remove programs and if there is still an entry there for newdotnet (new net domains) click to uninstall it.

Then close all browser windows - run hijackthis and tick to fix :-

R1 - HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER,SEARCHURL = HTTP://SEARCHBAR.FINDTHEWEBSITEYOUNEED.COM/
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH BAR = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN,SEARCH PAGE = http://search.presario.net/scripts/r.../srchredir.dll c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/

R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)

02 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL

02 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL

02 - BHO: Clearsearch - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
Button Support\cpqdeam.exe

04 - HKLM\..\Run: [LoadQM] loadqm.exe

04 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

04 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SAHAgent.exe

04 - HKLM\..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -at boot time

04 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain

04 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE

04 - HKLM\..\Run: [ClrschLoader] \Program Files\ClearSearch\Loader.exe

04 - HKLM\..\Run: [SearchEnhancement] “C:\PROGRAM FILES\SCBAR\V2\SCBAR.EXE” /U

04 - HKLM\..\Run: [winnEt] “C:\PROGRA~1\COMMON~Q\ADDRES~1\WINNeT.EXE

010 - Broken Internet access because of LSP provider ‘c:\program files\new.net\new.net4_85.dll’ missing

Reboot then find and delete :-

C:\WINDOWS\System\SahAgent.exe -- file

C:\WINDOWS\UPTODATE.EXE -- file

C:\Program Files\ClearSearch\Loader.exe -- folder

C:\PROGRAM FILES\SCBAR -- folder

C:\Program Files\CommonName - folder

Then download and run this :-
http://www.cexx.org/lspfix.htm

Which is pretty close to what you had allready

:wink:

Then hopefully you will be able to access the net and copy and paste a new log, jus to make sure it's clean

steam

**skaterace** · 01-01-2004 02:56 PM

OK, here's the scoop. I asked Hijackthis to fix the things you listed, and the computer said the program had performed an illegal operation and had to be shut down. All of the things I asked it to fix were then moved to the desktop. I deleted them all (I hope that was the right thing to do), and restarted the computer. I went looking for the files you told me to delete, but two of them weren't there, even when I looked at hidden files. They were the C:\WINDOWS\System\SahAgent.exe and the C:\Program Files\CommonName folder.
The browser is still not functioning at all.
During setup, the computer says that this file is missing: C:\Progra~1\Carbon~1\ccw32.vxd . We tell it to continue anyway, and it does.
Also, when trying to connect to the internet, a pre-dial screen comes up that asks for a username and password. This wasn't there before all the trouble started. If you just tell it to go on without the username and password then it will, but the browser won't work.
I haven't been able to get online to download the lspfix program yet.
Here's the new log:

Logfile of HijackThis v1.97.7
Scan saved at 12:35:10 PM, on 1/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\PROFILES\FORSYTHE FAMILY\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O10 - Broken Internet access because of LSP provider 'c:\windows\system\inetadpt.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = color-country.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 63.226.125.10

The old O10 is gone, but now there's a new one. I hope I haven't accidentally deleted something I shouldn't. Thanks for all your help.

skaterace

**skaterace** · 01-01-2004 03:02 PM

Hi, I went and downloaded the lspfix program and saw this warning:

There is a known issue with using this software in combination with obsolete versions of Lavasoft's popular AD-Aware utility. A known issue in some versions of AD-Aware results in improper removal of pests such as New.Net, CommonName, and WebHancer, resulting in lost Internet access. If LSP-Fix is used subsequently to repair these errors, the system may begin exhibiting crashes in MSAFD.DLL and/or RPCSS.

I know that they do use Lavasoft's AD-Aware, and that's probably where the newnet file went. Should I have them uninstall AD-Aware?
Sill running this lspfix program cause more problems since they've been using AD-Aware?

So many questions, so little time.

Thanks!
skaterace

**skaterace** · 01-01-2004 03:24 PM

I went to a friend's house and downloaded the lspfix program onto a disk, came back and uninstalled AD-Aware (they can always re-install it later, right?), then ran the lspfix program, and now the browser works! HOORAY!
There is still a Pre-Dial Terminal Screen that comes up which I'm sure is not supposed to be there. All the O10 entries are gone from the log.
Thanks SO much for your help!

skaterace

**steamwiz** · 01-01-2004 03:51 PM

Hi skaterace

AS I read your posts above, my eyes were getting wider and wider.....I've never heard of most of that happening before.

Thousands of computers lost internet access when removing Newnet with the old version of adaware....because Newnet had mutated and adaware did not update to the changes...but that was the old version

The new version has been out for about 8 months now and should be updated to the new reference files each time before using.

I still think it is safer to uninstall newnet from the control panel first, before running any cleaning programs, otherwise bang goes your internet connection (sometimes)

I prefer spybot to adaware.....some people use both.

spybot........ http://security.kolla.de/

Sounds like you sorted it out well - well done

I am sorry but I have no suggestions abut the "Pre-Dial Terminal Screen"

steam

**whoozhe** · 01-01-2004 09:00 PM

You can fix the "Pre-Dail Terminal" Screen by using the following steps, but before you can start working , you need to know the name of the connection that you use to get online
1. Click Start->Programs->Accessories->Comunication-> Dial up Networking.
2. Look for your connection here that you use to dial out to the internet.
3. Right click on it and select properties.
4. Click on the configure button at the bottom of the window.
5. Select the options tab from the top on the new window that comes up.
6. Uncheck the box that says "Bring up Terminal Window Before Dialing" and hit ok.
7. Hit ok on this window as well and close the dial up networking windows.
8. Try to dial out again. You shouldn't be getting the same problem now.

**steamwiz** · 01-02-2004 06:52 AM

Hey whoozhe

Never knew that box was there :wink:

steam

**whoozhe** · 01-02-2004 09:10 PM

Just another one of those "Buried Deep" Microsoft switches.
I wonder if Gatesville has 50 sub basement floors?

Thread: Hijacked Browser

LinkBack

Thread Tools

Hijacked Browser

Am I On the Right Track?

continuing problems

AD-Aware?

update